Posted on February 24, 2022 at 7:42 PM
The intelligence agencies of the UK and the UK have published a joint cyber report, warning that Russian threat actors are behind a new sophisticated malware.
According to the report, the new malware, dubbed Cyclops Blink, has been linked to the notorious Sandworm advanced persistent threat (APT) group. The group is connected to Russia’s GRU’s Main Center or Special Technologies. It is the same group that attacked the electricity distribution network in Ukraine seven years ago.
The advisory was published by the UK Cybersecurity and Infrastructure Security Agency (CISA) and the US National Cyber Security Center (NCSC).
For now, the agencies noted that Cyclops Blink only affects WatchGuard network devices, but the malware can be altered to extend its potency towards other devices.
The Malware Can Withstand Several Remedies
Cyclops Blink has been used widely against targets of interest to Russia, but the attack has been limited to WatchGuade devices so far. The US and UK agencies have warned that the Sandworm threat actors could equip the malware and make it open to target other firmware and architectures.
The Cyclops Blink is usually planted in a firmware update that achieves persistence when the targeted device is rebooted. This makes it very difficult to remove.
Afterward, the affected devices are arranged into clusters while each deployment has a list of command and control (C2) ports and addresses that can be used. But the NCSC has stated that not all Cyclops Blinks infection means the organization is the main target. In some cases, the device is used as a link or connection to the main target.
The malware has the sophistication to circumvent different security checks and withstand remedies such as reboots, according to the report.
This is coming at a time when the US and the UK are on high alert on Russian state-sponsored hacks. Russia has declared war on Ukraine as the political tension between the countries escalated. Russia is notorious for using its cyber intelligence to carry out massive attacks as part of its military response to foes.
But the agencies clarified that their statement is not directly connected to the situation in Ukraine, but only a “routine advisory.”
U.S. cyber security firm Mandiant, however, stated that the advisory is a direct reminder that Sandworm is still a very dangerous and potent malware that can inflict severe damage on targets.
Cybersecurity Firms Warn Against The Dangers Of The Malware
Vice President at Mandiant Threat Intelligence, John Hultquist, stated that Sandworm is still a “capable and clever” adversary.
He added that the cybersecurity world is concerned about the threat actor, in light of the crisis in Ukraine. Mandiant stated that in terms of sophistication and potency, Sandworm has developed some of the most dangerous malware that impacts top organizations and government institutions. It has surpassed all other threat actions when it comes to information operations and aggressive cyberattacks they have carried out.
“No other Russian actor has been so brazen and successful in disrupting critical infrastructure in Ukraine and elsewhere,” Hultquist said. Ukraine witnessed a massive distributed denial of service (DDoS) attack a few days ago. The attack targeted Ukrainian banks and the websites of some government agencies in the country.
Minister of digital information, Mykhailo Fedorov, stated that the parliament website was also hit by the attack, while important data from some of the banks were affected.
Ukraine authorities stated that it received warnings earlier this week that threat actors are looking to launch DDoS and malware attacks on the government and top financial institutions in the country.
The Attack Is Consistent With Russia’s Tactics
Chief information officer at cyber security firm Digital Shadows, Rick Holland, stated that the latest cyber attack on Ukraine was consistent with Russia’s tactics of distracting and disrupting adversaries while “providing a level of plausible deniability.” He added that cyber-attacks are something that is always meticulously planned, which means that Russia’s plan to invade Ukraine’s cyberspace wasn’t done within weeks. He stated that the country’s military intelligence has been planning the invasion for years.
He said the battle plans were drawn up for a long time, which includes false flags, disinformation, disruptive wiper malware, and DDoS attacks.
The White House has noted that it was in touch with authorities in Ukraine about the cyber threats they are facing. Both the UK and the US governments have blamed Russia for the cyberattack on Ukraine, although the Russian government has vehemently denied any involvement.