arstechnica.com Open in urlscan Pro
3.19.102.83  Public Scan

Form analysis
2 forms found in the DOM

GET /search/

<form action="/search/" method="GET" id="search_form">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>

POST https://arstechnica.com/civis/ucp.php?mode=login

<form id="login-form" action="https://arstechnica.com/civis/ucp.php?mode=login" method="post">
  <input type="text" name="username" id="username" placeholder="Username or Email" aria-label="Username or Email">
  <input type="password" name="password" id="password" placeholder="Password" aria-label="Password">
  <input type="submit" value="Submit" class="button button-orange button-wide" name="login">
  <label id="remember-label">
    <input type="checkbox" name="autologin" id="autologin"> Stay logged in</label> <span>|</span> <a href="/civis/ucp.php?mode=sendpassword">Having trouble?</a>
  <input type="hidden" name="redirect" value="./ucp.php?mode=login&amp;autoredirect=1&amp;return_to=%2Finformation-technology%2F2022%2F04%2Ffbi-accesses-us-servers-to-dismantle-botnet-malware-installed-by-russian-spies%2F">
  <input type="hidden" name="return_to" value="/information-technology/2022/04/fbi-accesses-us-servers-to-dismantle-botnet-malware-installed-by-russian-spies/">
  <input type="hidden" name="from_homepage" value="1">
</form>

Text Content

Skip to main content
 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums

Subscribe

Close


NAVIGATE

 * Store
 * Subscribe
 * Videos
 * Features
 * Reviews

 * RSS Feeds
 * Mobile Site

 * About Ars
 * Staff Directory
 * Contact Us

 * Advertise with Ars
 * Reprints


FILTER BY TOPIC

 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums


SETTINGS

Front page layout


Grid


List


Site theme

Black on white

White on black

Sign in


COMMENT ACTIVITY

Sign up or login to join the discussions!

Stay logged in | Having trouble?
Sign up to comment and more Sign up

TAKEDOWN —


COMPANIES WERE SLOW TO REMOVE RUSSIAN SPIES’ MALWARE, SO FBI DID IT FOR THEM


HOW THE FBI TOOK DOWN "CYCLOPS BLINK," A RUSSIA STATE BOTNET INFECTING NETWORK
FIREWALLS.

Dan Goodin - 4/6/2022, 9:25 PM

Enlarge
Getty Images

READER COMMENTS

99 with 56 posters participating

SHARE THIS STORY

 * Share on Facebook
 * Share on Twitter
 * Share on Reddit

The FBI remotely accessed and disinfected US-located devices running a powerful
new strain of Russian state botnet malware, federal authorities said Wednesday.
Those authorities added that the Kremlin was using the malware to wage stealthy
hacks of its adversaries.

The infected devices were primarily made up of firewall appliances from
WatchGuard and, to a lesser extent, network devices from Asus. Both
manufacturers recently issued advisories providing recommendations for hardening
or disinfecting devices infected by the botnet, known as Cyclops Blink. It is
the latest botnet malware from Russia’s Sandworm, which is among the world’s
most elite and destructive state-sponsored hacking outfits.


REGAINING CONTROL




FURTHER READING

Russia’s most cutthroat hackers infect network devices with new botnet malware
Cyclops Blink came to light in February in an advisory jointly issued by the
UK’s National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure
Security Agency (CISA), the National Security Agency (NSA), and the Federal
Bureau of Investigation (FBI). WatchGuard said at the time that the malware had
infected about 1 percent of network devices it made.

Cyclops Blink was a replacement for another piece of Sandworm-designed malware
known as VPNFilter, which researchers discovered in 2018 infecting 500,000
US-based routers made by Linksys, MikroTik, Netgear, QNAP, and TP-Link. The FBI
quickly seized a server Sandworm was using to infect devices with VPNFilter.
Once that was completed, the bureau instructed the public to reboot their
devices. With that, the botnet was dismantled.

Cyclops Blink was Sandworm’s attempt to regain persistent control of networking
devices, and the malware almost worked. In a court affidavit unsealed Wednesday,
federal prosecutors wrote:

> As with VPNFilter, Sandworm actors have deployed Cyclops Blink on network
> devices worldwide in a manner that appears to be indiscriminate; i.e., the
> Sandworm actors’ infection of any particular device appears to have been
> driven by that device’s vulnerability to the malware, rather than a concerted
> effort to target that particular device or its owner for other reasons. The
> Sandworm actors have done so through the exploitation of software
> vulnerabilities in various network devices, primarily WatchGuard firewall
> appliances. In particular, the WatchGuard devices are vulnerable to an exploit
> that allows unauthorized remote access to the management panels of those
> devices.

The botnet persisted even after February 23. That’s when WatchGuard, in
coordination with the FBI, released instructions for returning disinfected
devices to a clean state and configuring the devices to prevent unrestricted
access to management interfaces. WatchGuard also fixed a vulnerability tracked
as CVE-2022-23176, which opened the authentication bypass hole when servers were
configured to allow unrestricted management access from external IP addresses.
Despite the CVE issued this year, WatchGuard said Wednesday, the vulnerability
was fully addressed in May 2021.

Advertisement



SLIPPERY SLOPES AND THE LAW OF UNINTENDED CONSEQUENCES

Following the February advisory, however, the number of devices in the Cyclops
Blink botnet fell by just 39 percent. In response, the FBI went one step further
than it did with VPNFilter in 2018. In a clandestine takedown operation cloaked
by a federal warrant, agents remotely accessed infected WatchGuard devices
connected to 13 US-based IP addresses. From there, the agents:

 * Confirmed the presence of the Cyclops Blink malware
 * Logged the serial number Cyclops Blink used to track its bots
 * Copied a list of other devices also infected by Cyclops Blink
 * Disinfected the machines
 * Closed Internet-facing management ports to prevent Sandworm from having
   remote access

It’s not the first time the FBI has remotely accessed an infected device to
remove a threat, but it is an early example. Many security professionals have
raised concerns that such moves have the potential to cause harm if such actions
accidentally disrupt a mission-critical process. Privacy advocates have also
decried the exposure such actions may have on private individuals’ information.

Jake Williams, a former hacker for the NSA and now Executive Director of Cyber
Threat Intelligence at security firm SCYTHE, voiced the same concerns surround
this case. He said the specific steps the FBI took, however, left him feeling
more comfortable. In a message, he wrote:

> I think it’s always dicey for LE [law enforcement] to modify anything on a
> server that they don’t control. However, in this case, I don’t think there was
> significant risk, so the benefits clearly outweighed the risks. Many will cite
> slippery slope arguments as reasons this particular action was improper, but I
> think that’s wrong. The fact that the FBI coordinated with private enterprise
> (WatchGuard) in this action is particularly significant.

The FBI affidavit said, last September, agents interviewed representatives of a
company operating an infected device on its network. The company allowed the
agents to take a forensic image of the machine and to “prospectively observe the
network traffic associated with the firewall appliance.”

Page: 1 2 Next →


ARS VIDEO


HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985





READER COMMENTS

99 with 56 posters participating

SHARE THIS STORY

 * Share on Facebook
 * Share on Twitter
 * Share on Reddit

Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012
after working for The Register, the Associated Press, Bloomberg News, and other
publications.
Email dan.goodin@arstechnica.com // Twitter @dangoodin001

Advertisement


You must login or create an account to comment.




CHANNEL ARS TECHNICA

UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to
answer once and for all the lingering questions we have about his enduringly
popular show. Was Dr. Sam Beckett really leaping between all those time periods
and people or did he simply imagine it all? What do people in the waiting room
do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years
following the series finale, answers to these mysteries and more await.

 * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

 * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT

 * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL?

 * SITREP: BOEING 707

 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE

 * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE

 * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985

 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT

 * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * THE F-35'S NEXT TECH UPGRADE

 * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER

 * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM
   STUDIOS

 * US NAVY GETS AN ITALIAN ACCENT

 * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS

 * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT

 * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK

 * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT

 * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS

 * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION

 * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES

 * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE

 * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE

 * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES

 * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM

 * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS

 * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES

 * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES

 * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES

 * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES

 * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES

 * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES

 * TEACH THE CONTROVERSY: FLAT EARTHERS

 * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND
   SPACEX GETS A CRUCIAL GREEN-LIGHT

 * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO

 * THE GREATEST LEAP, EPISODE 1: RISK

 * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES

More videos
← Previous story Next story →


RELATED STORIES

Sponsored Stories
[Photos] Massive Movie Bloopers Turned into Embarrassing Moments
https://notfries.com/
Learn More
Knochen auf Knochen Knieschmerzen? Versuchen sie dies! meetmrjoint.com
Anyone With Type 2 Diabetes Should Watch This! healthgoodtop
[Bilder] Mann denkt, er rettet winzige Welpen, bis ein Arzt auf ihre Ohren zeigt
top5.com
20+ Size Comparisons That Change The Perspective Noteabley
[Gallery] A List Of The 15 Most Peaceful Dogs https://simplyurbans.com/
Recommended by



TODAY ON ARS

 * Store
 * Subscribe
 * About Us
 * RSS Feeds
 * View Mobile Site

 * Contact Us
 * Staff
 * Advertise with us
 * Reprints


NEWSLETTER SIGNUP

Join the Ars Orbital Transmission mailing list to get weekly updates delivered
to your inbox.

Sign me up →

CNMN Collection
WIRED Media Group
© 2022 Condé Nast. All rights reserved. Use of and/or registration on any
portion of this site constitutes acceptance of our User Agreement (updated
1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars
Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from
links on this site. Read our affiliate link policy.
Your California Privacy Rights | Manage Preferences
The material on this site may not be reproduced, distributed, transmitted,
cached or otherwise used, except with the prior written permission of Condé
Nast.
Ad Choices





WE CARE ABOUT YOUR PRIVACY

We and our partners store and/or access information on a device, such as unique
IDs in cookies to process personal data. You may accept or manage your choices
by clicking below or at any time in the privacy policy page. These choices will
be signaled to our partners and will not affect browsing data.


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Use precise geolocation data. Actively scan device characteristics for
identification. Store and/or access information on a device. Personalised ads
and content, ad and content measurement, audience insights and product
development. List of Partners (vendors)

I Accept
Show Purposes