The Department of Justice announced Wednesday it had disrupted Russian intelligence’s grip on “thousands” of systems hijacked into the Cyclops Blink botnet.
The DoJ received a court order mid-March permitting it to disable Cyclops Blink malware still active on ASUS and WatchGuard brand network devices without the consent of the device owners. ASUS and WatchGuard had issued remediation guidance soon after Cyclops Blink was first announced, but by the time of the court order, the majority of infected users had not fixed their machines.
“Fortunately, we were able to disrupt this botnet before it could be used,” said Attorney General Merrick Garland at a press conference.
The DoJ said that its procedure was minimally invasive, copying nothing but the malware and device serial numbers, deleting the malware, and blocking the external management port used by the Russian hacking unit Sandworm in the attack without viewing or accessing any other network information.
The DoJ used a similar tactic with a court order in 2021 to disrupt Chinese web shells on Microsoft Exchange Server, fixing what it said were hundreds of servers.
Sandworm is believed to be the successor to VPNFilter, a campaign that Ukrainian offices claimed was used in an attack on a chlorine distribution center as far back as 2018. More recently, SentinelOne found code overlaps between malware it believes may have been used to disable Viasat modems and VPNFilter, though SentinelOne does not believe code overlaps are enough to make any kind of attribution.
While victims may temporarily be freed from Cyclops Blink, ASUS and WatchGuard relayed through the DOJ that victims still need to follow their remediation guidance to prevent a repeat infection.