To eliminate the Cyclops Blink botnet, the FBI used a search warrant and the seizure of property


For the second time this year, the FBI used a search and seizure warrant to clear malware from devices belonging to private companies and users without their direct approval. The bureau used a search and arrest warrant to disable the Cyclops Blink botnet, allegedly operated by the Sandworm APT group.

Cyclops Blink is a modular malware designed to infect and control network devices such as routers and firewalls. One of the main targets of the malware was the WatchGuard Firebox internetwork devices. In addition, he attacked routers manufactured by ASUS.

The FBI managed to restore the firmware image of one of the compromised WatchGuard devices with the permission of its owner and, thanks to this, study the malware. The experts also monitored the traffic of the infected device, which allowed them to identify one of the relay C&C servers in the United States.

Having gained access to the server and analyzed its operation, the specialists found that Cyclops Blink C&C servers used digital certificates with certain characteristics. By scanning the Internet for these characteristics, they were able to identify 38 C&C servers, and 22 of them were located in the USA. With the help of search and seizure warrants, the FBI gained control of some servers.

Specialists have developed a special technique that allowed them to fake the control panel of servers on the Tor network and send commands to bots controlled by them. Together with WatchGuard and other law enforcement agencies, the FBI developed a strategy to clean up infected devices, according to which a series of commands were sent to them.

These commands were needed to achieve the following goals: confirming the presence of malicious code on the infected device, registering the serial number of the infected device, extracting a copy of malware and a list of embedded C&C servers, deleting malicious code and adding a firewall rule blocking remote access to the management interface.

The FBI used the same strategy last April to copy and then delete web shells from Microsoft Exchange servers used by the Chinese cyber espionage group Hafnium.