Sandworm APT ramps up Cyclops Blink botnet with Asus routers

Asus devices are being targeted in what appears to be a state-sponsored botnet campaign, according to new research released Thursday by Trend Micro.

The Cyclops Blink botnet has been observed since at least June 2019 and is reportedly connected to Sandworm, the infamous Russian advanced persistent threat (APT) group. This connection was reported in late February by cybersecurity officials for the U.S. and U.K.; both governments issued advisories warning that devices from network security vendor WatchGuard were under attack and being used as botnet infrastructure.

A separate version of the Cyclops Blink malware is now targeting Asus routers, according to Trend Micro's research. The report both calls attention to the botnet's expansion and provides a technical analysis of how the malware works.

Trend Micro researchers Feike Hacquebord, Stephen Hilt and Fernando Merces wrote that Cyclops Blink is a "modular malware" that utilizes command and control tactics to infect victims and bring them into the greater botnet. According to Trend Micro's investigation, there are more than 200 victims of infected WatchGuard devices and Asus routers across the world.

However, the researchers noted that despite it being a state-sponsored botnet, the devices targeted by Cyclops Blink are neither used by critical organizations nor have evident economic, political or military value. Therefore, Trend Micro believes "it is possible that the Cyclops Blink botnet's main purpose is to build an infrastructure for further attacks on high-value targets."

Hacquebord compared the current activities of Cyclops Blink to Russian APT Pawn Storm, also known as Fancy Bear.

"This is similar to what a group like Pawn Storm (APT28) also has been doing over the years: compromising thousands of email addresses of atypical targets, apparently in order to create the infrastructure that can send spear phishing emails to the actual targets," he told SearchSecurity. "However, due to the modular nature of Cyclops Blink, it is possible there are espionage-related components, but so far we have not seen these extra modules."

Asked about whether the activities could be connected to Russia's ongoing invasion in Ukraine, he said that Trend Micro "did not intend to imply any relationship between Cyclops Blink and the ongoing war in Ukraine," but acknowledged past attribution to Sandworm.

"U.K.'s NCSC [National Cyber Security Centre] has attributed Cyclops Blink to Sandworm, an infamous APT group that is known to have targeted Ukraine for a long time," Hacquebord said. "According to the U.S. DOJ [Department of Justice], Sandworm has also targeted the French elections in 2017, the PyeongChang Winter Olympics, the Organisation for the Prohibition of Chemical Weapons (OPCW), and Georgian companies and government entities."

The security vendor gave three examples of current victims: "a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States."

In addition to Asus and WatchGuard, Trend Micro claimed it had evidence of the botnet affecting at least one other vendor -- namely, a router vendor -- but have been unable to collect malware samples.

"We have evidence that other routers are affected too, but as of reporting, we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and Asus," the report said.

Asus published an advisory Thursday that includes a list of affected routers as well as recommended mitigations. The vendor said it is currently investigating the threat and working on remediations for Cyclops Blink. WatchGuard published a similar advisory in February.

Asus has not responded to SearchSecurity's request for comment at press time.

Sandworm is a Russian state-sponsored threat group responsible for a number of large-scale campaigns. The APT is best known for being credited with the destructive NotPetya attacks in 2017, but it is also responsible for the VPNFilter botnet first discovered in 2018. Sandworm was also credited with the BlackEnergy Trojan used in critical infrastructure attacks against Ukraine in 2016.

Alexander Culafi is a writer, journalist and podcaster based in Boston.