FBI interrupts Cyclops blink botnet used by Russian intelligence directorate

According to US officials, the Cyclops Blinkboatnet is controlled by the Main Intelligence Directorate (GRU) of the Russian Federation and has compromised thousands of devices worldwide.

Launched in March 2022 after a court-authorized operation was detected in February 2022 against a Russian-controlled botnet that infected hardware devices with Cyclops Blink malware.

UK and US authorities have tracked its operators into the infamous Sandwort group, which is affiliated with the Russian GRU’s specialized technology headquarters. The group has been linked to a number of destructive attacks in the past, including the infamous Notre Dame attack in 2017 and the Black Energy campaign in 2015, targeting power plants in Ukraine.

Cyclops Blink is a modular malware that is believed to be the successor to the VPNFilter botnet. Malware infects Internet-connected devices through malicious firmware updates. It is currently targeting ASUS and WatchGuard devices. Cyclops Blink maintains stability through a legal device firmware update process directly linked to APT groups affiliated with the Russian government.

The FBI in partnership with WatchGuard has removed a large botnet of hardware devices and malware targeting firewall tools and SOHO networking devices. Malware target devices designed by WatchGuard Technologies and ASUS are worth noting.

WatchGuard has released Detection and Remedy Tools recommendations for device owners, asking them to patch their devices to the latest version of firmware. Furthermore, ASUS has also released guidelines to help compromise ASUS device owners reduce the Cyclops blink threat.

Although thousands of compromised devices were successfully fixed during the operation, the US Department of Justice warned that in fact many of the compromised devices were still infected.

US Department of Justice Statement

In a press release, the US Justice Department said last month that an operation had been launched to disrupt “the two-tier global botnet of thousands of infected network hardware devices.” The C2 mechanism was also disabled, which separated the bots from the control of the Sandworm C2 devices. Authorities also closed ports used by Sandworm to remotely operate the botnet.

U.S. Attorney General Merrick Garland said the operator had successfully intercepted the botnet before it was used and had suspended GRU control over infected equipment before it was armed.

“This court-authorized removal of malware executed by the Russian GRU demonstrates the department’s commitment to intercept country-state hacking using all legal tools at our disposal.”


Assistant Attorney General Matthew Olsen

  1. FBI and NSA expose Russian state hacking tool for Linux
  2. Russia jailed US hacker for 8 years for botnet, bank fraud
  3. Fancy Bear’s VPNfilter malware is back with 7 new modules
  4. FBI seizes VPNFilter botnet domain that infected 500,000 routers
  5. New Electrum DDoS botnet steals $ 4.6M after infecting 152,000 hosts

Leave a Comment