The FBI Disrupted Russian Gru Botnet Malware Through a Court Order Before It Could Be Weaponized

The Federal Bureau of Investigation (FBI) said it shut down a Russian GRU botnet malware through a court-authorized operation before it could be weaponized.

The botnet targeted Firebox firewall hardware used by many small and midsized businesses from WatchGuard Technologies.

The DOJ said the operation involved copying and removing “malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.”

U.S. Attorney General Merrick Garland also disclosed that US authorities worked with WatchGuard to analyze the malware, remove it before it could be used, and create detection and remediation techniques.

Russian GRU botnet malware linked to Sandworm APT

FBI said the botnet used Cyclops Blink malware associated with Sandworm (also Voodoo Bear) team. The group is associated with the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

“This GRU team, Sandworm, had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies’ Firebox devices—these are security appliances, mainly firewalls, that are typically deployed in home office environments and in small to mid-size businesses,” FBI Director Christopher Wray, said in a press statement.

Sandworm hacking group is responsible for large-scale cyber attacks including the worldwide NotPetya campaign, Ukraine’s power grid shutdown in 2015, the French presidential campaign hack, the 2018 Winter Olympics Destroyer, and attacks on the Organization for the Prohibition of Chemical Weapons (OPCW).

The Cyclops Blink malware emerged in 2019 as a replacement for the VPNFilter malware that the Justice Department brought down through another court-authorized action in 2018.

On Feb 3, 2022, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued an advisory on Cyclops Blink malware targeting WatchGuard and Asus networking devices.

Similarly, researchers from Trend Micro warned in March 2022 that the Cyclops Blink malware targeted devices in non-critical infrastructure organizations to…