The Federal Bureau of Investigation said it launched an operation in March to attack massive botnets controlled by Russian intelligence.
The operation was authorized by the California and Pennsylvania courts, allowing the FBI to copy and remove the so-called Cyclops Blink malware, also known as C2S, from its command and control servers, allowing the FBI to connect to thousands of infected devices. Cutting is allowed. Follow the instructions on the server.
The Justice Department announced the March operation on Wednesday, calling it a “success” but warned that device owners would still have to review the original Feb. 23 advice on how to secure their compromised devices and prevent reinfection.
The Justice Department said thousands of compromised devices have been protected by their owners since reports of the growing threat from Cyclops Blink first surfaced in February, but that justifies a court-sanctioned operation as “most of the infected devices” “were at risk.” just a few weeks. Late mid March.
Cyclops Blink is considered the successor to VPNfilter, a botnet that was largely neglected in 2018 after being discovered by security researchers and later targeted by a US government operation to hijack command and control servers. Cyclops Blink and VPNfilter are credited with Sandworm, a group of hackers working for Russia’s GRU, the country’s military intelligence arm.
According to the Justice Department, the court order “immediately prohibited Sandworm from accessing these C2 devices, violating Sandworm’s control over infected bot devices controlled by recovered C2 devices.”
“The operation did not involve communication with FBI bot devices,” the Justice Department said.
US officials make no assumptions about the purposes of the Cyclops Blink botnet, but security researchers say the botnet is capable of intelligence gathering and spying, launching distributed denial-of-service attacks that link websites to unwanted traffic and overload servers. , as well as destructive attacks that render devices useless and cause system and network failures.
Sandworms have been known to launch devastating hack attacks over the years, including shutting down Ukraine’s power grid, using malware to blow up a petrochemical plant in Saudi Arabia, and most recently targeting Viasat’s satellite networks in Ukraine and Europe.
John Hultquist, vice president of intelligence analysis at Mandient, said in response to the FBI operation:
Sandworms are the main potential for Russian cyberattacks and one of the actors we are most concerned about in light of the invasion. We are concerned that they could be used to hit targets in Ukraine, but we are also concerned that they will be hit against targets in the West in response to pressure being exerted on Russia.
Last April, the FBI launched a first-of-its-kind operation to copy and remove backdoors left behind by Chinese spies who massively hacked into thousands of vulnerable Exchange servers to steal contact lists and mailboxes.
Updated and corrected to clarify that the compromised hardware was not used as part of FBI operations.