The DoJ still recommends reviewing the initial February 23 advisory released by the United Kingdom’s National Cyber Security Centre, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency to secure and protect compromised devices.
The operation was conducted in March 2022 and disrupted a two-tiered global botnet that was in control of thousands of infected network hardware devices. The operation copied and removed malware from vulnerable internet-connected firewall devices that were being used for command and control (C2) of the underlying botnet. Although no direct connection was made, the disabling of the C2 mechanism severed the bots from the devices' control.
Assistant Attorney General G. Olsen of the Justice Department’s National Security Division said:
“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal.
By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes.”
The Cyclops Blink malware targets network devices manufactured by WatchGuard Technologies Inc. (WatchGuard) and ASUSTek Computer Inc. (ASUS). The network devices are often located on the perimeter of a victim's computer network, thereby providing the potential ability to conduct malicious activities against all computers within those networks.
If you believe you have a compromised device, the DoJ advises you to contact your local FBI Field Office for assistance.