Feds announce disruption of Russian malware attack in operation aided by Pittsburgh FBI, U.S. Attorney's office

The U.S. Department of Justice announced a series of measures Wednesday to combat Russian criminal activity, including an operation to disrupt a malware program that officials said would have allowed the Russian government to control thousands of infected security devices around the world.

The operation to disrupt the “Cyclops Blink” malware was led by the FBI in Pittsburgh, Atlanta and Oklahoma City, and the U.S. Attorney’s office in Pittsburgh.

According to the DOJ, Sandworm, an intelligence team of the Russian government, installed the malware on thousands of network security devices manufactured by WatchGuard and ASUS typically used in home offices or small to mid-sized business beginning as early as June 2019. That malware then would allow Sandworm to take command and control of the firewall devices, which often connected multiple computers across a network, to potentially conduct malicious activities.

“We’ve disrupted this botnet before it could be used,” said FBI Director Christopher Wray during a news conference in Washington, D.C. “The Russian government has shown it has no qualms about conducting this kind of criminal activity, and they continue to pose an imminent threat.”

Sandworm is the same group that in 2015 attacked the Ukrainian electric grid, and led cyber attacks during the 2018 Olympics, Wray said.

“Sandworm has a long history of outrageous, destructive attacks,” he said.

The operation disabled Sandworm’s command and control of the bots from the devices “before it could do any harm,” Wray said.

WatchGuard cooperated with the FBI in the investigation.

According to a warrant submitted on March 18 by the FBI Pittsburgh to a federal magistrate in the Western District of Pennsylvania, the operation required agents to confirm the presence of the Cyclops Blink malware on the infected devices; retrieve the data from the malware; remove the malware and then block remote access to the devices’ management panel.

“Through these actions, the FBI will neutralize the Sandworm actors’ ability to further access the devices or otherwise reconstitute the botnet through technical means…,” the warrant said.

U.S. Attorney Cindy K. Chung, of the Western District of Pennsylvania, said that cyber attacks like Cyclops Blink are not only criminal but threaten the national security of the United States and its allies.

“Through close collaboration with WatchGuard and our law enforcement partners, we identified, disrupted and exposed yet another example of the Russian GRU’s hacking of innocent victims in the United States and around the world,” Chung said.

Special Agent in Charge Mike Nordwall of the FBI’s Pittsburgh Field Office said the FBI is committed to combating Russia’s criminal efforts.

“The FBI prides itself on working closely with our law enforcement and private sector partners to expose criminals who hide behind their computer and launch attacks that threaten Americans’ safety, security and confidence in our digitally connected world,” Nordwall said.

Wray cautioned that owners of the WatchGuard and ASUS devices must still take the recommended remediation efforts suggested by the companies.

“We removed malware from devices used by thousands of mostly small business owners for network security all over the world, and then we shut the door the Russians had used to get into them,” he said. “The botnet disruption strikes a blow against Russian intelligence, the Russian government.”