The US says it has disrupted the “Cyclops Blink” botnet by hacking into some of the infected devices and removing the malware onboard.
The FBI did so by securing a court order that permitted federal agents to scrub the malware from command-and-control (C2) devices in the botnet, the Justice Department said on Wednesday.
The US blames Russia’s military intelligence, the GRU, for creating the botnet as a way to spy on company networks. Back in February, federal officials warned that a new strain of Linux-based malware, called Cyclops Blink, had been found targeting vulnerable routers and firewall devices from PC maker Asus and network security provider WatchGuard.
Once it infects, Cyclops Blink can allow a hacker to remotely upload and download files to the device, including other malicious payloads. It can also be used to modify and disable the firewall device. Since Cyclops Blink receives instructions from a list of C2 machines, infected devices operate as an army of enslaved computers, also known as a botnet.
Cyclop Blinks spanned thousands of devices, including hundreds found in the US. But on Wednesday, the Justice Department said FBI investigators had disabled the C2 mechanisms behind the botnet, thus neutralizing the threat.
In court documents, the FBI said it began analyzing the malware last year, and noticed it communicated to dozens of IP addresses belonging to C2 devices that run the botnet. In January, the FBI then identified one of the C2 devices in the US, and obtained the machine with the owner’s consent.
This helped federal agents develop “a means of impersonating” the hacker’s control panel to send commands to the malware. The FBI then asked for a court warrant to send instructions to the rest of the botnet’s C2 devices to uninstall the Cyclops Blink malware and also change the firewall rules to block future access.
“Other than collecting the underlying C2 devices’ serial numbers through an automated script and copying the C2 malware, it did not search for or collect other information from the relevant victim networks,” the Justice Department said. “Further, the operation did not involve any FBI communications with bot devices.”
It’s not the first time the FBI has resorted to such tactics. Last year, the Justice Department announced it had secured a court order to remove malicious web shells from hundreds of vulnerable computers running Microsoft Exchange Server software.
The court-sanctioned hacking essentially amounts to the FBI directly patching the vulnerable devices, rather than waiting for owners to do it themselves. “This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said US Assistant Attorney General Matthew Olsen in Wednesday’s announcement.
However, the Justice Department said the court-sanctioned hacking only stopped the malicious activity on infected products that acted as C2 devices. “WatchGuard and Asus devices that acted as bots may remain vulnerable to Sandworm (the Russian GRU hacking group) if device owners do not take the WatchGuard and Asus recommended detection and remediation steps. The department strongly encourages network defenders and device owners to review the Feb. 23 advisory and WatchGuard and Asus releases,” it added.