News | Story

Russia-Linked Cyclops Blink Malware Identified as Potential Cyberwarfare Weapon

Russia-Linked Cyclops Blink Malware Identified as Potential Cyberwarfare Weapon

Government authorities have uncovered new malware for killing home and business network devices, replacing the weaker VPNFilter code with a deadlier version.

The governments of the United States and the United Kingdom published a joint report on Wednesday detailing a new malware strain developed by Russia’s military cyber unit that has been in the wild since 2019 and has been used to remotely compromise network devices, primarily small office/home office (SOHO) routers and network-attached storage (NAS) devices.

According to the special cyber activity report, it was released only hours before Russian soldiers launched an invasion of neighboring Ukraine on Wednesday evening.

Initial warnings concerning cyberattacks were released on February 16 by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), all of which were coordinated by the National Security Agency (NSA). That investigation revealed that Russian state-sponsored hackers have been lurking in many U.S. Cleared Defense Contractors’ (CDC) networks for the last two years, stealing sensitive, unclassified material as well as proprietary and export-controlled technologies from the organizations.

DDoS Tool

The spyware known as Cyclops Blink looks to be a successor for the VPNFilter malware discovered earlier this year. Sandworm may be able to remotely access networks due to its distribution.

The National Cyber Security Centre (NCSC) in the United Kingdom and the FBI, CISA, and the National Security Agency (NSA) in the United States issued the advice.

The cyber report outlines the measures to take to detect a Cyclops Blink infection and provides mitigation tips to assist enterprises in eliminating the disease. Assaults are carried out on target networks by malware that affects the Linux operating system’s Executable and Linkable Format (ELF). The virus makes use of a Linux API function to download malicious files, launch attacks, and sustain persistence on victim networks.

According to Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, a digital risk protection solutions provider, there was no specific evidence linking the Cyclops Blink malware to the most recent Ukrainian distributed denial of service (DDoS) attacks.

As a result, compromised routers offer the Russians with a valuable DDoS weapon that allows them to confuse and disrupt their rivals while still maintaining a degree of plausible deniability.” According to him, Russia has previously employed botnets; in 2018, for example, the FBI pulled a botnet related with the VPNFilter virus off the internet.”

Connect the Dots

According to the joint alert, sandworm, also known as Voodoo Bear, is identified as the hacker actor responsible for the cyber unit. The new virus is built on a more sophisticated structure, according to the research.

Previously, the Russian military’s intelligence agency or the GRU’s Main Centre for Special Technologies GTsST was ascribed to the Sandworm actor by the United States and the United Kingdom.

Holland pointed out that Russia did not suddenly attack Ukraine this week. Military strategists had been preparing for this battle for some years.

The Russian military doctrine includes disinformation, false flags, distributed denial-of-service (DDoS) strikes, and destructive wiper software. He said that war plans have been developed and are now being implemented.

In light of the events leading up to and during the 2014 Russian annexation of Crimea, the malware assaults probably originated in Russia, according to John Dickson, vice president of cybersecurity consultancy services business Coalfire, who made the observation.

It’s a million rubles that this is from our pals in Moscow,” says the narrator. Before launching a full-scale invasion of Ukraine, they are likely attempting to weaken the target by interfering with Ukrainian command, control, and communications” he said.

Cybersecurity Details

A report on Cyclops Blink malware analysis by the National Cyber Security Center (NCSC) is accessible. Specifically, this report involves the examination of two samples obtained by the FBI recently from WatchGuard Firebox devices that were suspected of being included in the botnet.

According to the investigation, Cyclops Blink is described as a malicious Linux Executable and Linkable Format created for the 32-bit PowerPC (big-endian) architecture.

A large-scale botnet targeting Small Office/Home Office (SOHO) network devices is being investigated by the NCSC, FBI, CISA, NSA, and industry analysts, according to the NCSC. At the very least, this botnet has been operating since June of this year, targeting WatchGuard Fireboxes and potentially other SOHO networking devices as well.

The samples are loaded into memory in two separate program segments. The first of these segments has read/execute rights and includes the malware’s Linux ELF header and the malware’s executable code. The second and third files have read/write requests and contain victim-specific information the virus utilizes to operate.

Risk of Potential Fallout

The significant uncertainties are whether Russia will be able to withstand new economic and other penalties imposed by the West, which the United States is expected to announce on Thursday, and if Russian retribution would extend beyond the boundaries of Ukraine, according to Holland of Digital Shadows.

“According to Russian Foreign Ministry remarks published yesterday (Feb. 23) on a severe and painful response, important U.S. and Western infrastructures, such as energy and banking, might be attacked shortly,” he said.

Because of the cyber concerns, Coalfire’s Dickson suggests the following four security measures:

  1. Prepare reaction strategies for probable disruption situations, such as overseas travel or GPS failure, by brainstorming potential scenarios.
  2. Carry out a fast tabletop exercise geared to a regional war situation. Engage senior company executives’ participation to uncover gaps and identify new risks.
  3. Identify and safeguard critical personnel who may be harmed by the disruption caused by a worsening of the violence in the Ukrainian region, and ensure their safety.
  4. When your processes grow tremendously, you must secure more external security resources (more personnel).

Cyclops Blink Conclusions

The analysis states that the modular design strategy used by Cyclops Blink has been professionally designed. Malware samples were examined, and it was discovered that they were most likely built from an identical code base. The creators had taken great care to guarantee that the command and control communication would be difficult to identify and trace.

The developers reverse-engineered the WatchGuard Firebox firmware update process. They discovered a specific weakness in the process: the ability to recalculate the hash-based message authentication code (or HMAC) value used to verify a firmware update image during the verification process. They used this flaw to ensure that Cyclops Blink remained persistent during the legal firmware upgrade procedure.

Cyclops Blink can read and write to the device filesystem. In this way, genuine files (for example, install upgrade) may be substituted with changed ones (for example, upgrade). Even if the exact issue were to be resolved, the developers would implement additional capabilities to ensure that Cyclops Blink’s persistence was not compromised.

The NCSC concludes that Cyclops Blink is a very complex piece of malware due to these features, which are paired with the professional development strategy used by the NCSC.

The Cyclops Blink examples were produced for the PowerPC (big-endian) architecture, 32-bits in size. On the other hand, WatchGuard devices are compatible with a wide variety of architectures. As a result, probably, they are also among the systems attacked by the virus.

In addition to WatchGuard devices, the flaw in the firmware update procedure is highly likely to affect additional WatchGuard devices. Because of this, it is suggested that users apply the WatchGuard mitigation recommendations for all relevant devices.

Related News


Your email address will not be published.

Share The News

Follow Us