US, UK attribute Cyclops Blink to Sandworm

Authorities have connected a recent malware campaign to Sandworm, the APT group behind destructive attacks like the ones involving NotPetya in 2017.

Joint security advisories Wednesday by the United Kingdom's National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI revealed that the Russian-based group, also known as Voodoo, replaced its VPNFilter malware with Cyclops Blink. While authorities and vendors pinpoint Cyclops Blink initial activity to 2019 -- more than one year after VPNFilter was disrupted by the U.S. Department of Justice -- this is the first time it has been publicly attributed.

In the past, Sandworm deployed the VPNFilter botnet to exploit "network devices, primarily small office and home office (SOHO) routers and network attached storage (NAS) devices," according to the advisory. It was even used to target victims in the Republic of Korea prior to the 2018 Winter Olympics and for a series of attacks against Georgia in 2019. In 2020, six intelligence officers at Russia's GRU's Main Centre for Special Technologies associated with Sandworm were indicted by the United States.

It appears they are still active as they retool away from one malicious malware to the next. The advisory described Cyclops Blink as "sophisticated and modular," providing Sandworm with the ability to "add new modules while the malware is running." To date, authorities have primarily observed it used against network security vendor WatchGuard Technologies. However, the advisory warned its use will likely extend to "other architectures and firmware."

"In common with the VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread," the NCSC advisory said.

To shed more light on the threat, WatchGuard provided two samples of the botnet to the FBI taken from its Firebox devices. An analysis found that the actor obfuscated the botnet as part of the reboot and as a legitimate firmware update.

"The developers have clearly reverse engineered the WatchGuard Firebox firmware update process and have identified a specific weakness in this process, namely the ability to recalculate the HMAC value used to verify a firmware update image," the report said.

WatchGuard addressed the threat in a blog post Wednesday, after working with authorities and Mandiant to investigate the impact, which appears limited so far. WatchGuard confirmed that its own network "has not been affected or breached." Additionally, the investigation found no evidence of data exfiltration from the company or its customers.

The Seattle-based vendor was founded in 2015 and according to its LinkedIn page, its offerings "protect more than 250,000 customers." The blog emphasized that the impact is likely limited to its business customers.

"Based on current estimates, Cyclops Blink may have affected approximately 1% of active WatchGuard firewall appliances; no other WatchGuard products are affected," the blog said.

Together with authorities, WatchGuard has employed a four-step process, which includes a detection tool, to determine a diagnosis and remediation if necessary. The portion regarding future protection steps is applicable to all customers, according to the blog. The joint advisory warned that if a device is infected, users should "assume any passwords present on the device have been compromised and replace them."