The FBI has revealed a global action designed to disrupt the Cyclops Blink botnet.
According to remarks by FBI director Richard Wray to a press conference, the FBI’s work focused on taking control of WatchGuard Firebox firewalls away from the attackers, then copying and removing malware infecting those devices.
Wray warned that owners of the vulnerable devices still need to follow WatchGuard’s remediation instructions to prevent re-infection.
The Cyber Blink variant of VPN Filter emerged in March, with Trend Micro warning Asus some of its devices were also vulnerable.
Since Cyclops Blink emerged, it’s been attributed to Russia’s GRU-operated Sandworm group.
“With the court-authorised operations we’re announcing today, we’ve disrupted this botnet before it could be used. We were largely able to do that because we had close cooperation with WatchGuard”, Wray told the press conference.
“We’ve worked closely with WatchGuard to analyse the malware and develop detection tools and remediation techniques over the past several weeks.
"Our operation removed Russia’s ability to control these Firebox devices on the botnet network, and then copied and removed malware from the infected devices.”
WatchGuard said fewer than one percent of its devices in the wild are affected by the attack.
US officials informed owners “of the steps they should take to remediate infections or vulnerabilities”.
The Australian Cyber Security Centre’s only mention of Cyclops Blink is in this advice that Australian organisations should “adopt an enhanced cyber security posture”.
