The UK National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) have issued an alert. A group or individual known as Sandworm or Voodoo Bear is using a piece of malware never before seen in the wild, called Cyclops Blink.
Cyclops Blink Malware
In the past, these security agencies have linked the entity behind Sandworm with the Russian GRU’s Main Centre for Special Technologies GTsST. The name Sandworm may not be familiar but the attacks might be more known:
- The BlackEnergy disruption of Ukrainian electricity in 2015
- Industroyer in 2016
- NotPetya in 2017
- Attacks against the Winter Olympics and Paralympics in 2018
- A series of disruptive attacks against Georgia in 2019
In 2018, WIRED shared the “untold story” of NotPetya, one of the worst cyberattacks in history. At that time it had already been linked to Russia. Then, in January 2022 Merck won a court dispute over the NotPetya attack. This was purely against insurance companies who argued cyberattacks weren’t included in their coverage, or at least they didn’t tell those they insured that these attacks weren’t covered in the contract.
These agencies believe that Cyclops Blink is an upgrade to VPNFilter. This was a piece of malware uncovered 2018. It targeted network devices, especially routers from “small office/home office” and network attached storage (NAS) devices. Cyclops Blink has been seen in the wild since at least June 2019.
Cyclops Blink persists on reboot and throughout the legitimate firmware update process. Affected organisations should therefore take steps to remove the malware.