The United States continues its demining operation in view of possible Russian cyber attacks. On Wednesday, April 6, the United States Department of Justice announced dealt a serious blow to a “botnet”, a network of electronic devices infected and controlled by Russia’s military intelligence services.
The US authorities explained that in March the Federal Bureau of Investigation (FBI) managed to disconnect the infected machines from the servers used by hackers to control them, forcing this botnet, called Cyclops Blink, into theory had become useless. †
This announcement comes days after Joe Biden publicly warned about possible Russian computer attacks. US authorities fear the Kremlin will order its hackers launch offensives against critical infrastructure in response to the significant international sanctions that have weighed on Russia since it launched the invasion of Ukraine on February 24.
It’s not known for sure what Cyclops Blink could be used for: it could serve as a back base for launching espionage operations as well as more destructive attacks. Appeared in 2019, this network of machines “zombie” remotely controlled consisted of network equipment used by small businesses or individuals, specifically marketed by the company WatchGuard† A flaw in the software running them allowed hackers to infect and control them remotely.
At this point there is no known attack by Cyclops Blink, but US authorities preferred to pull out the carpet under the pirates’ feet to prevent it from causing damage. This decision to technically deactivate this botnet – part of its technical infrastructure was physically located in the United States – is in line with the strategy of Washington and its allies, for several weeks, of communicating with a certain transparency about Russian activities that related to the invasion of Ukraine. The existence of Cyclops Blink was publicly and collectively known announced in February by the United States and Great Britainwho feared that this botnet would be used in parallel with the then-prepared military invasion of Ukraine, which London and Washington publicly denounced.
The GRU at work
British and American intelligence agencies have named the group of hackers known in the industry as Sandworm as the mastermind behind Cyclops Blink. According to most analysts and also the American judiciary, it is a unit of the GRU, the Russian military intelligence service. They are responsible for several violent cyber-attacks on Ukraine over the past ten years, as well as for manipulations targeting the French presidential elections of 2017 or the Pyongchang Olympics in 2018.
This group was also behind another botnet discovered in 2018 :VPN filter. The latter was mainly aimed at Ukraine and experts at the time feared that it could be used for large-scale sabotage actions. US authorities had already performed an operation designed to take over the infrastructure used by hackers to control infected machines. Measures that enabled the total disappearance of this botnet.
Today, the FBI also hopes to have dealt a fatal blow to Cyclops Blink, especially since the latter is much more limited in terms of number of infected machines than its predecessor: only a few hundred, compared to several hundred thousand for VPN filter. However, the possibility cannot be ruled out that Cyclops Blink could be reborn: once hackers have deprived of the means to remotely control infected devices, those devices will remain vulnerable to another malware infection until their owners fix the software flaw exploited by hackers.
Along with the announcement of the FBI operation, Microsoft announced on Wednesday, April 7 that it had acquired of seven web addresses used by another group of hackers, also from the GRU. According to the company, these domain names were used to launch espionage operations against Ukraine, especially media, but also government agencies and think tanks in the United States and Europe. “We believe that Strontium [le nom qu’utilise Microsoft pour désigner ce groupe de pirates] attempted long-term access to its targets’ computer systems, provided tactical support to the physical invasion, and exfiltrated sensitive information.”writes Microsoft in its press release.