Botnet activity that drew loud warnings last month from U.S. and U.K. cybersecurity agencies has expanded to a second type of hardware, according to researchers at Trend Micro.
The CyclopsBlink malware is now targeting routers from hardware maker ASUS, the researchers said Thursday, after first being discovered on Firebox devices from WatchGuard. Both manufacturers have issued security bulletins to customers.
The U.K. National Cyber Security Centre and the U.S. Cybersecurity and Infrastructure Security Agency, National Security Agency and FBI linked the botnet to the state-backed Russian advanced persistent threat (APT) group known as Sandworm.
Although those attackers have been blamed in numerous major incidents, researchers so far have not tied CyclopsBlink to any high-profile targets. For now, the botnet seems to be oriented toward propagating itself, in part by turning compromised devices into command-and-control (C&C) servers for other bots, Trend Micro said.
“Our data also shows that although Cyclops Blink is a state-sponsored botnet, its C&C servers and bots affect WatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage,” Trend Micro said. “Hence, we believe that it is possible that the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks on high-value targets.”
The company said that a third manufacturer’s devices could be a CyclopsBlink target, “but so far we have been unable to collect malware samples for this router brand.”
The government alerts in February emphasized that CyclopsBlink was a new tool for Sandworm, which was famous for malware known as VPNFilter.
CyclopsBlink is a modular, meaning that once the botnet persists on a device, the malware can be used for other, more intrusive activities.
Trend Micro said it was able to identify more than 200 victims so far.
“Typical countries of infected WatchGuard devices and Asus routers are the United States, India, Italy, Canada, and a long list of other countries, including Russia,” the researchers said.
Trend Micro noted that devices from about a dozen vendors were compromised by VPNFilter, suggesting that CyclopsBlink could be working toward a similar target list.