The U.S. government announced on Wednesday that it had disrupted a botnet controlled by Russian government hackers before it could be used to launch cyberattacks.
In a press release, the Department of Justice announced that it had copied and removed malware from thousands of infected network firewall devices, which were under the control of Russia’s Main Intelligence Directorate, commonly known as GRU and its hacker group known as Sandworm.
Videos by VICE
“The Russian government has recently used similar infrastructure to attack Ukrainian targets. Fortunately we were able to disrupt this botnet before it could be used,” Attorney General Merrick Garland said during a press conference. “We were able to detect the infection of thousands of network hardware devices. We were then able to disable the GRU’s control over those devices before the botnet could be weaponized.”
The botnet was controlled with malware known as Cyclops Blink, which the United Kingdom’s National Cyber Security Centre, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, and the National Security Agency had publicly revealed the existence of and analyzed in an advisory published on Feb. 23.
Do you have information about this law enforcement operation? Or about other Russian cyberattacks in Ukraine? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com
The malware targeted firewalls made by WatchGuard and Asus, according to the press release. On Feb. 23, WatchGuard released tools to detect and remediate the malware infection. Cybersecurity firm TrendMicro later reported that it had detected the malware on Asus routers in March. And on April 1, Asus released a firmware update for its routers that was designed to block Sandworm’s malware.
The Justice Department’s operation against the botnet was authorized by a court order on March 18, which allowed the department to “copy and remove” the malware from all the infected devices, which were used as command and control—or C2—devices to potentially launch cyberattacks, according to the press release.
“These steps had the immediate effect of preventing Sandworm from accessing these C2 devices, thereby disrupting Sandworm’s control of the infected bot devices controlled by the remediated C2 devices,” the press release read. “As required by the terms of the court authorization, the FBI has provided notice to the owners of the domestic C2 devices from which the FBI copied and removed the Cyclops Blink malware.”
“The FBI prides itself on working closely with our law enforcement and private sector partners to expose criminals who hide behind their computer and launch attacks that threaten Americans’ safety, security and confidence in our digitally connected world,” Special Agent in Charge Mike Nordwall of the FBI’s Pittsburgh Field Office was quoted as saying in the press release. “The FBI has an unwavering commitment to combat and disrupt Russia’s efforts to gain a foothold inside U.S. and allied networks.”
Since the start of Russia’s invasion of Ukraine, there have been several cyberattacks, such as the one against the satellite internet firm Viasat, which The Washington Post reported was conducted by the Russian government. Other suspected Russian cyberattacks used different kinds of destructive malware named WhisperGate, HermeticWiper, and AcidRain.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.