Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

Russian malware Cyclops Blink exposed

By Maria Henriquez
warning-freepik1170.jpg
February 28, 2022

According to U.S. and U.K. cybersecurity agencies, a threat actor known as Sandworm or Voodoo Bear is using a new malware called Cyclops Blink, a large-scale modular malware framework that is affecting network devices.


The U.K. National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) in the U.S. have previously attributed Sandworm to Russian GRU's Main Center for Special Technologies GTsST. The threat actor was allegedly responsible for the following cybersecurity incidents:


  • The BlackEnergy disruption of Ukrainian electricity in 2015
  • Industroyer in 2016
  • NotPetya in 2017
  • Attacks against the Winter Olympics and Paralympics in 2018
  • A series of disruptive attacks against Georgia in 2019


Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices. The malware has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. The actor has primarily deployed Cyclops Blink to WatchGuard devices, but Sandworm would likely compile the malware for other architectures and firmware.


The malware is sophisticated and modular with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware runs, allowing Sandworm to implement additional capabilities. Post exploitation, Cyclops Blink is generally deployed as a firmware 'update,' making remediation harder. 


While there isn't any specific evidence linking Cyclops Blink to the most recent Ukrainian distributed denial of service (DDoS) attacks, Rick Holland, Chief Information Security Officer and Vice President of Strategy at Digital Shadows, says, "Disinformation, false flags, DDoS attacks and destructive wiper malware are a part of Russian military doctrine." Holland suggests that Russia could use the malware to further target Ukraine and critical U.S. and Western infrastructure while the military conflict in Ukraine further unfolds.


Security teams should be prepared for attacks against critical infrastructure and adopt a heightened security posture to maximize resilience. John Dickson, Vice President at Coalfire, a Westminster, says security leaders should:


  • Brainstorm potential disruption scenarios, e.g., international travel or GPS disruption and craft response plans.
  • Conduct a quick tabletop exercise tailored to a regional conflict scenario. Pull in key corporate leaders to identify gaps and identify additional risks.
  • Identify and protect key staff who may be impacted by disruption associated with a widening conflict in the Ukrainian area.
  • Secure externals security resources (more humans) when your workflows increase exponentially.


The advisory, published by the NCSC (U.K.) and CISA, FBI and NSA, includes steps outlining how to identify a Cyclops Blink infection and points to mitigation advice to help organizations remove it. Please refer to the Cyclops Blink malware analysis report for compromise indicators, which may help detect this activity. 

KEYWORDS: critical infrastructure cyber security malware risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • SEC0320-cyber-feat-slide1_900px.jpg

    NSA and FBI expose Russian previously undisclosed malware “Drovorub”

    See More
  • wifi signal cut in metal

    MacOS malware discovered on Russian dark web forum

    See More
  • Security newswire default

    Vermont Electric Company Finds Russian Malware on Computer

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing