Any appearance of a new tool used by Russia’s notorious, disruptive Sandworm hackers will raise the eyebrows of cybersecurity professionals braced for high-impact cyberattacks. When US and UK agencies warn of one such tool spotted in the wild just as Russia prepares a potential mass-scale invasion of Ukraine, it’s enough to raise alarms.
On Wednesday, both the UK National Cybersecurity Center and the US’s Cybersecurity and Infrastructure Security Agency released advisories warning that they—along with the FBI and NSA–have detected a new form of network device malware being used by Sandworm, a group tied to some of the most destructive cyberattacks in history and believed to be a part of Russia’s GRU military intelligence agency. The new malware, which the agencies call Cyclops Blink, has been found in firewall devices sold by networking hardware company Watchguard since at least June of 2019. But the NCSC warns that “it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware,” that it may have already infected other common network routers used in homes and businesses, and that the malware’s “deployment also appears indiscriminate and widespread.”
It remains unclear whether Sandworm has been hacking network devices for purposes of espionage, or building out its network of hacked machines to use as communications infrastructure for future operations, or targeting networks for disruptive cyberattacks remains, says Joe Slowik, a security researcher for DomainTools and a long-time tracker of the Sandworm group. But given that Sandworm’s past history of inflicting digital chaos includes destroying entire networks inside Ukrainian companies and government agencies, triggering blackouts by targeting electrical utilities in Ukraine, and releasing the NotPetya malware there that spread globally and cost $10 billion in damage, Slowik says even an ambiguous move by the hackers merits caution—particularly as another Russian invasion of Ukraine looms.
“It definitely seems like Sandworm has continued the path of compromising relatively large networks of these devices for purposes unknown,” Slowik says. “There are a number of options available to them, and given that it’s Sandworm, some of those options could be concerning, and bleed into deny, degrade, disrupt, and potentially destroy, though there’s no evidence of that yet.”
CISA and the NCSC both describe the Cyclops Blink malware as a successor to an earlier Sandworm tool known as VPNFilter, which infected half a million routers to form a global botnet before it was identified by Cisco and the FBI in 2018 and largely dismantled. There’s no sign that Sandworm has taken control of nearly that many devices with Cyclops Blink. But like VPNFilter, the new malware serves as a foothold on network devices and would allow the hackers to download new functionality to infected machines, whether to enlist them as proxies for relaying command-and-control communications or targeting the networks where the devices are installed.
In its own analysis of the malware, Watchguard writes that the hackers were able to infect its devices via a vulnerability it patched in a May 2021 update, which even before then would have only offered an opening when a control interface for the devices was exposed to the internet. The hackers also appear to have used a vulnerability in how Watchguard devices verify the legitimacy of firmware updates, downloading their own firmware to the firewall devices and installing it so that their malware can survive reboots. Watchguard estimates that about 1 percent of its total number of installed firewalls were infected, though it didn’t give a total number for how many devices that represented. Watchguard also released tools to detect infections on its firewalls and if necessary, wipe and reinstall their software.