According to U.S. and U.K. cybersecurity agencies, a threat actor known as Sandworm or Voodoo Bear is using a new malware called Cyclops Blink, a large-scale modular malware framework that is affecting network devices.
The U.K. National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) in the U.S. have previously attributed Sandworm to Russian GRU's Main Center for Special Technologies GTsST. The threat actor was allegedly responsible for the following cybersecurity incidents:
- The BlackEnergy disruption of Ukrainian electricity in 2015
- Industroyer in 2016
- NotPetya in 2017
- Attacks against the Winter Olympics and Paralympics in 2018
- A series of disruptive attacks against Georgia in 2019
Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices. The malware has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. The actor has primarily deployed Cyclops Blink to WatchGuard devices, but Sandworm would likely compile the malware for other architectures and firmware.
The malware is sophisticated and modular with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware runs, allowing Sandworm to implement additional capabilities. Post exploitation, Cyclops Blink is generally deployed as a firmware 'update,' making remediation harder.
While there isn't any specific evidence linking Cyclops Blink to the most recent Ukrainian distributed denial of service (DDoS) attacks, Rick Holland, Chief Information Security Officer and Vice President of Strategy at Digital Shadows, says, "Disinformation, false flags, DDoS attacks and destructive wiper malware are a part of Russian military doctrine." Holland suggests that Russia could use the malware to further target Ukraine and critical U.S. and Western infrastructure while the military conflict in Ukraine further unfolds.
Security teams should be prepared for attacks against critical infrastructure and adopt a heightened security posture to maximize resilience. John Dickson, Vice President at Coalfire, a Westminster, says security leaders should:
- Brainstorm potential disruption scenarios, e.g., international travel or GPS disruption and craft response plans.
- Conduct a quick tabletop exercise tailored to a regional conflict scenario. Pull in key corporate leaders to identify gaps and identify additional risks.
- Identify and protect key staff who may be impacted by disruption associated with a widening conflict in the Ukrainian area.
- Secure externals security resources (more humans) when your workflows increase exponentially.
The advisory, published by the NCSC (U.K.) and CISA, FBI and NSA, includes steps outlining how to identify a Cyclops Blink infection and points to mitigation advice to help organizations remove it. Please refer to the Cyclops Blink malware analysis report for compromise indicators, which may help detect this activity.