The US Department of Justice announced the liquidation of the Cyclops Blink botnet, which was led by the APT-group Sandworm, allegedly associated with the special services of the Russian Federation.
“The US Department of Justice announces that in March 2022, a court-sanctioned operation was carried out to eliminate a two-tier botnet from thousands of infected network devices around the world that were under the control of an attacker known to security researchers as Sandworm,” the Ministry of Justice said in a press release.
During the operation, specialists copied and removed malware from vulnerable Internet-connected firewalls used by Sandworm as C&C servers for the botnet, notifying their owners beforehand.
Together with experts from WatchGuard, law enforcement officers analyzed the malware, created tools for its detection and developed methods for its elimination. However, the WatchGuard Firebox vulnerable firewalls used as bots still pose a threat and may be subject to further attacks if their operators do not take the security measures recommended by the manufacturer.
In February of this year, US and UK law enforcement agencies published a joint notification warning about the new Cyclops Blink malware associated with Sandworm.
APT-group Sandworm (other names BlackEnergy and TeleBots) has been active since 2000. Among other things, she is responsible for the creation and distribution of the NotPetya ransomware that attacked hundreds of companies around the world in June 2017.