FBI operation aims to take down massive Russian GRU botnet

The Federal Bureau of Investigation has disclosed it carried out an operation in March to target a massive botnet controlled by Russian intelligence.

The operation was authorized by courts in California and Pennsylvania, allowing the FBI to copy and remove the so-called Cyclops Blink malware from its command and control servers, also known as C2s, allowing the FBI to sever the connections to thousands of compromised infected devices that were taking instructions from the servers.

The Justice Department announced the March operation on Wednesday, describing it as “successful,” but warned that device owners should still review the initial February 23 advisory to secure their compromised devices and prevent reinfection.

The Justice Department said that since the news first emerged about the rising threat of Cyclops Blink in February, thousands of compromised devices have been secured by the owners but justified its court-ordered operation because the “majority” of infected devices were still compromised just weeks later in mid-March.

Cyclops Blink is believed to be the successor to VPNFilter, a botnet largely neglected after it was exposed by security researchers in 2018 and later targeted by a U.S. government operation to disrupt its command and control servers. Both Cyclops Blink and VPNFilter are attributed to Sandworm, a group of hackers working for Russia’s GRU, the country’s military intelligence unit.

According to the Justice Department, the court order had the “immediate effect of preventing Sandworm from accessing these C2 devices, thereby disrupting Sandworm’s control of the infected bot devices controlled by the remediated C2 devices.”

“The operation did not involve any FBI communications with bot devices,” the Justice Department said.

U.S. authorities did not speculate on the goal of the Cyclops Blink botnet, but security researchers say the botnet is capable of collecting information and conducting espionage, launching distributed denial-of-service attacks that overload websites and servers with junk traffic, as well as destructive attacks that render the devices inoperable and causing system and network disruptions.

Sandworm is particularly known for launching disruptive hacks over the years, including knocking the Ukrainian power grid offline, using malware to try to blow up a Saudi petrochemical plant, and more recently deploying a destructive wiper targeting the Viasat satellite network over Ukraine and Europe.

John Hultquist, vice president of intelligence analysis at Mandiant, said in response to the FBI’s operation:

Sandworm is the premier Russian cyber attack capability and one of the actors we have been most concerned about in light of the invasion. We are concerned that they could be used to hit targets in Ukraine, but we are also concerned they may hit targets in the West in retribution for the pressure being placed on Russia.

Last April, the FBI launched the first-of-its kind operation to copy and remove a backdoor left behind by Chinese spies, who had mass-hacked thousands of vulnerable Exchange servers in order to steal contact lists and email inboxes.

Updated and corrected to clarify that compromised devices were not accessed as part of the FBI’s operation.

Read more: