valerybrozhinsky - stock.adobe.c

Russia behind dangerous Cyclops Blink malware

Joint NCSC CISA advisory attributes a dangerous malware, dubbed Cyclops Blink, to Russia’s Sandworm APT, likely a GRU unit, with WatchGuard users at particular risk

WatchGuard users should be on high alert for a sophisticated new form of malware called Cyclops Blink, which has been attributed to the Sandworm (aka Voodoo Bear, BlackEnergy) advanced persistent threat (APT) actor, part of Russia’s GRU’s Main Centre for Special Technologies, or GTsST, the same group that disrupted the Ukrainian electricity network in 2015, and launched the disruptive NotPetya attacks two years later.

According to an advisory published by the National Cyber Security Centre (NCSC) and its US partner, the Cybersecurity and Infrastructure Security Agency (CISA), Cyclops Blink is a large-scale modular malware framework that for now affects only WatchGuard network devices. It has been tracked since 2019 and is likely some form of successor to the Sandworm-linked VPNFilter malware, which was disrupted in May 2018.

VPNFilter was also a modular malware, deployed in stages, that enabled traffic manipulation, destruction of host devices, the exploitation of downstream devices, and the monitoring of Modbus SCADA protocols – something Sandworm is particularly keen on. It was widely and indiscriminately used against targets in Ukraine and in South Korea around the time of the 2018 Olympic Winter Games, prior to its disruption by the US. Since then, Sandworm seems to have mostly abandoned this project.

Like VPNFilter, Cyclops Blink has been used widely against targets of interest to Russia, so far just against WatchGuard devices, but the NCSC and CISA assess it is highly likely that Sandworm could compile it to target other architectures and firmwares.

Vulnerable WatchGuard devices will have been reconfigured from the factory default settings to open remote management interfaces to external access.

Post exploitation, Cyclops Blink will generally arrive in a firmware update that achieves persistence once the target device is rebooted, making it tougher to remove. Victim devices are then organised into clusters, with each deployment having a list of command and control (C2) IP addresses and ports that it can use – again, to date all of these have been used by compromised WatchGuard firewalls.

Cyclops Blink’s clients and servers use individually generated keys and certificates to communicate, protected by Transport Layer Security (TLS), the whole controlled by connecting to the C2 layer via the Tor network.

As previously noted, the malware persists on reboot and throughout the legitimate firmware update process, so affected organisations will need to take steps to remove it. If found to be infected, also assume any passwords present on the firewall are compromised and replace them, then make sure that the management interfaces of your network devices are not exposed to the internet.

The NCSC stressed that a Cyclops Blink infection does not mean that your organisation is the main target, but it may be selected to be, or your devices could be being used to attack the real targets.

WatchGuard has provided further guidance and tooling which can be found here, while the NCSC has also published its own analysis which can be found here.

A WatchGuard spokesperson said: “Based on current estimates, Cyclops Blink may have affected approximately 1% of active WatchGuard firewall appliances; no other WatchGuard products are affected.

“There is no evidence of data exfiltration from WatchGuard or its customers [and] WatchGuard’s own network has not been affected or breached.”

John Hultquist, vice-president of Mandiant Threat Intelligence said Sandworm was a very concerning group given its previous track record of malicious activity.

“The latest revelation about Sandworm is a timely reminder that they are still a capable and clever adversary. In light of the crisis in Ukraine, we are very concerned about this actor, who has surpassed all others we track in terms of the aggressive cyber attacks and information operations they have conducted,” he said.

“No other Russian actor has been so brazen and successful in disrupting critical infrastructure in Ukraine and elsewhere. Hopefully, the timing of this disclosure will better enable us to defend against this threat actor as relations between Russia and others deteriorate and the likelihood of cyber attacks beyond Ukraine continues to grow.”

This article was amended at 16:21 UTC on 1 March to correct a factual error; Mandiant did not take part in this investigation.

Read more about Sandworm

Read more on Hackers and cybercrime prevention

Data Center
Data Management