The United States continues its “demining” operation in view of possible Russian cyberattacks. On Wednesday April 6, the US Department of Justice announced that it had dealt a serious blow to a “botnet”, a network of electronic devices infected and controlled by Russian military intelligence services.
The US authorities explained that the Federal Bureau of Investigation (FBI) had managed, during the month of March, to disconnect the infected machines from the servers used by hackers to control them, rendering this botnet – called Cyclops Blink – inoperative, in theory. .
This announcement comes days after Joe Biden publicly warned of potential Russian computer attacks. US authorities fear the Kremlin will order its hackers to launch critical infrastructure offensives in response to the severe international sanctions that have been imposed on Russia since it invaded Ukraine on February 24.
It is not known with certainty what Cyclops Blink could be used for: it could just as well serve as a rear base for launching espionage operations as for more destructive attacks. Appeared in 2019, this network of machines “zombie” remotely controlled consisted of network equipment used by small businesses or individuals, marketed in particular by the company WatchGuard. A flaw in the software running them allowed hackers to infect and control them remotely.
At this stage, no known attack has been launched by Cyclops Blink, but the American authorities preferred to pull the rug out from under the pirates’ feet by preventing it from causing harm. This decision to technically deactivate this botnet – part of its technical infrastructure was physically located in the United States – corresponds to the strategy of Washington and its allies, for several weeks, consisting in communicating with a certain transparency on Russian activities linked to the invasion in Ukraine. The existence of Cyclops Blink had been publicly and jointly announced in February by the United States and Great Britain, which feared that this botnet was used in parallel with the military invasion of Ukraine which was then preparing and that publicly denounced London and Washington.
The GRU at work
The UK and US intelligence have named the group of hackers, known in the industry as Sandworm, as the masterminds behind Cyclops Blink. According to most analysts as well as American justice, it is a unit of the GRU, the Russian military intelligence service. They are the ones responsible for several violent cyberattacks against Ukraine over the past ten years, but also for manipulation operations that targeted the 2017 French presidential election or the 2018 Pyongchang Olympics.
This group was also behind another botnet discovered in 2018: VPN Filter. The latter was particularly aimed at Ukraine and, at the time, experts feared that it could be used to carry out large-scale sabotage actions. US authorities had already conducted an operation to take control of the infrastructure used by hackers to control the infected machines. Measures that have allowed the total disappearance of this botnet.
Today, the FBI hopes to have also dealt a fatal blow to Cyclops Blink, especially since the latter is much more limited, in number of infected machines, than its predecessor: only a few hundred, against several hundred thousand for VPN Filter . However, it is not excluded that Cyclops Blink could be reborn: if hackers have been deprived of the means to remotely control infected devices, these devices remain vulnerable to a new malware infection as long as their owners do not fixed the software flaw exploited by hackers.
Along with the announcement of the FBI operation, Microsoft announced on Wednesday April 7 that it had taken possession of seven Web addresses used by another group of hackers, also from the GRU. According to the company, these domain names were used to launch espionage operations against Ukraine, in particular media, but also government entities and think tanks in the United States and Europe. “We believe that Strontium [le nom qu’utilise Microsoft pour désigner ce groupe de pirates] tried to establish long-term access to the computer systems of its targets, provided tactical support to the physical invasion and exfiltrated sensitive information”writes Microsoft in its press release.