The FBI remotely accessed and disinfected US-located devices running a powerful new strain of Russian state botnet malware, federal authorities said Wednesday. Those authorities added that the Kremlin was using the malware to wage stealthy hacks of its adversaries.
The infected devices were primarily made up of firewall appliances from WatchGuard and, to a lesser extent, network devices from Asus. Both manufacturers recently issued advisories providing recommendations for hardening or disinfecting devices infected by the botnet, known as Cyclops Blink. It is the latest botnet malware from Russia’s Sandworm, which is among the world’s most elite and destructive state-sponsored hacking outfits.
Regaining control
Cyclops Blink came to light in February in an advisory jointly issued by the UK’s National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI). WatchGuard said at the time that the malware had infected about 1 percent of network devices it made.
Cyclops Blink was a replacement for another piece of Sandworm-designed malware known as VPNFilter, which researchers discovered in 2018 infecting 500,000 US-based routers made by Linksys, MikroTik, Netgear, QNAP, and TP-Link. The FBI quickly seized a server Sandworm was using to infect devices with VPNFilter. Once that was completed, the bureau instructed the public to reboot their devices. With that, the botnet was dismantled.
Cyclops Blink was Sandworm’s attempt to regain persistent control of networking devices, and the malware almost worked. In a court affidavit unsealed Wednesday, federal prosecutors wrote:
As with VPNFilter, Sandworm actors have deployed Cyclops Blink on network devices worldwide in a manner that appears to be indiscriminate; i.e., the Sandworm actors’ infection of any particular device appears to have been driven by that device’s vulnerability to the malware, rather than a concerted effort to target that particular device or its owner for other reasons. The Sandworm actors have done so through the exploitation of software vulnerabilities in various network devices, primarily WatchGuard firewall appliances. In particular, the WatchGuard devices are vulnerable to an exploit that allows unauthorized remote access to the management panels of those devices.
The botnet persisted even after February 23. That’s when WatchGuard, in coordination with the FBI, released instructions for returning disinfected devices to a clean state and configuring the devices to prevent unrestricted access to management interfaces. WatchGuard also fixed a vulnerability tracked as CVE-2022-23176, which opened the authentication bypass hole when servers were configured to allow unrestricted management access from external IP addresses. Despite the CVE issued this year, WatchGuard said Wednesday, the vulnerability was fully addressed in May 2021.
Slippery slopes and the law of unintended consequences
Following the February advisory, however, the number of devices in the Cyclops Blink botnet fell by just 39 percent. In response, the FBI went one step further than it did with VPNFilter in 2018. In a clandestine takedown operation cloaked by a federal warrant, agents remotely accessed infected WatchGuard devices connected to 13 US-based IP addresses. From there, the agents:
- Confirmed the presence of the Cyclops Blink malware
- Logged the serial number Cyclops Blink used to track its bots
- Copied a list of other devices also infected by Cyclops Blink
- Disinfected the machines
- Closed Internet-facing management ports to prevent Sandworm from having remote access
It’s not the first time the FBI has remotely accessed an infected device to remove a threat, but it is an early example. Many security professionals have raised concerns that such moves have the potential to cause harm if such actions accidentally disrupt a mission-critical process. Privacy advocates have also decried the exposure such actions may have on private individuals’ information.
Jake Williams, a former hacker for the NSA and now Executive Director of Cyber Threat Intelligence at security firm SCYTHE, voiced the same concerns surround this case. He said the specific steps the FBI took, however, left him feeling more comfortable. In a message, he wrote:
I think it’s always dicey for LE [law enforcement] to modify anything on a server that they don’t control. However, in this case, I don’t think there was significant risk, so the benefits clearly outweighed the risks. Many will cite slippery slope arguments as reasons this particular action was improper, but I think that’s wrong. The fact that the FBI coordinated with private enterprise (WatchGuard) in this action is particularly significant.
The FBI affidavit said, last September, agents interviewed representatives of a company operating an infected device on its network. The company allowed the agents to take a forensic image of the machine and to “prospectively observe the network traffic associated with the firewall appliance.”
Impersonating Cyclops Blink
Agents soon reverse engineered the CPD, the name of the Cyclops Blink executable file, and retrieved a list of IP addresses for some of the other command and control servers powering the botnet. The agents soon discovered that these C2 servers were controlled by other C2 servers (referred to as a “panel”) higher up the chain. To keep communications between the panel and bots stealthy, they occurred over Tor.
In January, the FBI devised a means of impersonating the Cyclops Blink panel and sending commands to other infected devices. A court warrant issued last month gave agents authority to remotely access the 13 US-based servers and carry out the commands.
The affidavit said the agents worked with WatchGuard to develop the method for removing the CPD file without causing data loss or degrading performance. An FBI-controlled server used in the operation “will not maintain a communications channel with the Target C2 Device after this procedure is concluded,” an FBI agent wrote in the affidavit. “The BFI has confirmed the accuracy of this scanning method through subsequent searches of C2 devices.”
Agents also worked with WatchGuard to develop a list of firewall rules that would prevent Sandworm from accessing remote management interfaces and retaking control of the devices while at the same time not affecting any other functioning. What’s more, the configuration change was “nonpersistent,” meaning it lasted only until the device was rebooted.
To further increase stealth, Cyclops Blink didn’t store the IP addresses of all infected devices in a single place. Instead, the botnet stored them piecemeal on different infected machines. To get a fuller list of other bots, the FBI-controlled server also retrieved IP of other bots stored on each device.
Williams, the former NSA hacker, said the FBI was “clear the commands it executed did not allow [federal agents] to monitor any user’s data” and that “this needs to be publicized more in my opinion.”
The takedown underscores the increasingly sophisticated and aggressive lengths law enforcement is taking to combat the menace of botnets, particularly those from Russian state hackers.