SECURITY
SECURITY
SECURITY
Russian ‘Cyclops Blink’ malware targets network devices
The U.K. and U.S. governments have identified a new form of malware developed by Russian hackers that targets network devices.
Dubbed Cyclops Blink, the malware is linked to the Sandworm hacking group. Sandworm, also known as APT 28 and Fancy Bear, has been linked to various hacks over the previous six to seven years. Sandworm is believed to be run by Unit 74455 of the Russian Main Intelligence Directorate, a military intelligence agency of the General Staff of the Armed Forces.
Cyclops Blink is described by the U.K. National Cyber Security Center as a replacement framework for the VPNFilter malware first discovered in 2018. Sandworm, as VPNFilter did, exploits network devices, primarily small office and home office routers and network-attached storage devices.
Though only now detailed, it’s believed that Cyclops Blink has been active since June 2019. As with VPNFilter, Cyclops Blink’s deployment appears indiscriminate and widespread.
Sandworm has so far primarily deployed Cyclops Blink to WatchGuard devices. WatchGuard Technologies Inc. is a network security vendor that provides products designed to protect computer networks from outside threats.
The malware itself is described as sophisticated and modular with the functionality to send device information back to a server. Cyclops Blink can enable files to be downloaded and executed. The modular nature of the malware also allows Sandworm to implement additional capabilities as required.
Post exploitation, Cyclops Blink organizes victim’s devices into clusters and each deployment has a list of command and control IP addresses and ports it uses. Communication from Sandworm and compromised devices are protected with Transport Layer Security using individually generated keys and certificates. Sandworm manages Cyclops Link by connecting the command and control layer through the Tor network.
The agencies warn that Cyclops Blink persists on reboot and throughout legitimate firmware updates.
In conjunction with the U.K. NCSC, the U.S. Federal Bureau of Investigation, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency and the Federal Bureau of Investigation, WatchGuard has provided tooling and guidance to enable detection and removal of Cyclops Blink. The details of how to do so are here.
In addition, the warning states that if a device is identified as infected with Cyclops Blink, it should be presumed that any passwords present have been compromised and hence should be replaced.
Image: Max Pixel
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
