The U.K. and U.S. governments have identified a new form of malware developed by Russian hackers that targets network devices.

Dubbed Cyclops Blink, the malware is linked to the Sandworm hacking group. Sandworm, also known as APT 28 and Fancy Bear, has been linked to various hacks over the previous six to seven years. Sandworm is believed to be run by Unit 74455 of the Russian Main Intelligence Directorate, a military intelligence agency of the General Staff of the Armed Forces.

Cyclops Blink is described by the U.K. National Cyber Security Center as a replacement framework for the VPNFilter malware first discovered in 2018. Sandworm, as VPNFilter did, exploits network devices, primarily small office and home office routers and network-attached storage devices.

Though only now detailed, it’s believed that Cyclops Blink has been active since June 2019. As with VPNFilter, Cyclops Blink’s deployment appears indiscriminate and widespread.

Sandworm has so far primarily deployed Cyclops Blink to WatchGuard devices. WatchGuard Technologies Inc. is a network security vendor that provides products designed to protect computer networks from outside threats.

The malware itself is described as sophisticated and modular with the functionality to send device information back to a server. Cyclops Blink can enable files to be downloaded and executed. The modular nature of the malware also allows Sandworm to implement additional capabilities as required.

Post exploitation, Cyclops Blink organizes victim’s devices into clusters and each deployment has a list of command and control IP addresses and ports it uses. Communication from Sandworm and compromised devices are protected with Transport Layer Security using individually generated keys and certificates. Sandworm manages Cyclops Link by connecting the command and control layer through the Tor network.

The agencies warn that Cyclops Blink persists on reboot and throughout legitimate firmware updates.

In conjunction with the U.K. NCSC, the U.S. Federal Bureau of Investigation, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency and the Federal Bureau of Investigation, WatchGuard has provided tooling and guidance to enable detection and removal of Cyclops Blink. The details of how to do so are here.

In addition, the warning states that if a device is identified as infected with Cyclops Blink, it should be presumed that any passwords present have been compromised and hence should be replaced.

Image: Max Pixel