Connect with us

Hi, what are you looking for?



FBI Disables “Cyclops Blink” Botnet Controlled by Russian Intelligence Agency

The U.S. government on Wednesday announced that it had neutralized a massive botnet of hardware devices controlled by Russia’s main intelligence agency (GRU).

The U.S. government on Wednesday announced that it had neutralized a massive botnet of hardware devices controlled by Russia’s main intelligence agency (GRU).

In the court-approved operation, the Federal Bureau of Investigation (FBI) partnered with Watchguard to copy and remove the “Cyclops Blink” malware that serves as the hub for a large-scale botnet targeting firewall appliances and SOHO networking devices.

Cyclops Blink, which maintains persistence throughout the legitimate device firmware update process, has been directly linked to APT groups associated with the Russian government. 

In a statement Wednesday, the U.S. Justice Department said the operation was conducted last month “to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm.”

[ READ: U.S. Gov Warning: Firmware Security a ‘Single Point of Failure‘ ]

The agency said the operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. 

Although the operation did not involve access to the Sandworm malware on the thousands of underlying infected devices worldwide, the Justice Department said the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control.

Advertisement. Scroll to continue reading.

WatchGuard Technologies, which makes devices that were targeted by the malware, has released detection and remediation tools alongside recommendations for device owners to remove any malware infection and patch their devices to the latest versions of available firmware. 

Device maker ASUS also released its own guidance to help compromised ASUS device owners mitigate the Cyclops Blink malware threat. 

The Justice Department said the operation led to the successful remediation of thousands of compromised devices but warned that a majority of the originally compromised devices remained infected.

Related: Russia-Linked Cyclops Blink Botnet Attacking ASUS Routers

Related: New Modem Wiper Malware May be Connected to Viasat Hack

Related: U.S. Gov Issues Warning, Calling Firmware Security a ‘Single Point of Failure’

Related: Hundreds of Networks Still Host Devices Infected With VPNFilter Malware

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.