US says it disrupted Russian botnet ‘before it could be weaponized’
The U.S. government disrupted a botnet built by the Sandworm hacking group of Russia’s GRU intelligence agency before it could be used for malicious purposes, officials said Wednesday at a news conference.
“Thanks to our close work with international partners, we were able to detect the infection of thousands of network hardware devices,” Attorney General Merrick Garland said. “We were then able to disable the GRU’s control over those devices before the botnet could be weaponized.”
Botnets, which infect internet-connected devices to spread malware or perform other disruptive tasks, have long been a part of the playbook for Russian state-backed hackers. Sandworm has been blamed for multiple high-profile cyberattacks around the world, including the shutdown of Ukrainian electrical grid in 2015 and the worldwide NotPetya cyberattacks in 2017.
“[I]t does not matter how cleverly you write your malware or hide your online activity,” Garland said. “The Justice Department will use every available tool to find you, disrupt your plots and hold you accountable.”
FBI Director Christopher Wray said the botnet used the “Cyclops Blink” code that U.S. and U.K. cyber agencies had attributed to Sandworm in a Feb. 23 alert. The botnet initially targeted WatchGuard Technologies’ Firebox firewall hardware, which is often installed by small and mid-sized businesses.
The takedown of Cyclops Blink was “a sophisticated, court-authorized operation” that involved removing malware from thousands of devices, Wray said.
“And then we shut the door the Russians had used to get into them,” he said.
Wray said the U.S. government also worked closely with Seattle-based WatchGuard to develop “detection tools and remediation techniques” in recent weeks. A news release from the Justice Department said that U.S. personnel focused on disrupting machines that served as command and control devices.
On March 17, cybersecurity researchers at Trend Micro expanded on the original U.S. and U.K. warning, reporting that some ASUS brand devices could be affected. ASUS also worked closely with the U.S. government in the botnet takedown, the Justice Department said.
Even though the botnet has been disrupted, owners of potentially affected devices should still follow WatchGuard’s instructions for updating the hardware, Wray said.
The Justice Department also noted that during the operation, the U.S. government “did not search for or collect other information from the relevant victim networks,” and the takedown “did not involve any FBI communications with bot devices.”
One of many
Federal agencies have outed several other Russia-linked cyber-operations since Moscow ramped up its hostilities against Ukraine earlier this year. This month the Justice Department announced the indictment of Russians allegedly associated with the Trisis malware that attacked a Saudi petrochemical plant in 2017. And White House officials have repeatedly warned about the potential for Russia-backed cyberattacks on U.S. businesses and infrastructure.
Gen. Paul Nakasone, director of the NSA and U.S. Cyber Command, told lawmakers Tuesday that American personnel have worked side-by-side with Ukrainian partners to “hunt forward” for malicious activity.
Ukrainian government officials also have provided regular updates about Russian cyber-activity. On Tuesday, the country’s Computer Emergency Response Team said a group known as Gamaredon or Armageddon had unsuccessfully sent phishing emails with malicious attachments designed to look like documents about purported Russian war crimes.
Russian-language cybercrime groups also are known for deploying botnets, including Trickbot and Emotet, which have been the target of cyber-operations by Western governments and corporations. Both of those botnets can be linked to the infamous Conti cybercrime organization, cybersecurity researchers say.
Garland’s announcement comes a day after German authorities, with the backing of the Justice Department and other U.S. agencies, took down the Russian-language Hydra dark web marketplace.
Updated 4/6/22: with more comments from news conference.