Botnet Controlled By Russia’s GRU Disrupted By US, UK

ENISA botnet report, Mirai

Botnet controlled by Russian military intelligence disrupted by the United States, which removed GRU control of thousands of infected devices

The United States and UK have dealt a cyber blow against Russian military intelligence, the GRU, after removing its control of a global botnet.

The US Justice Department announced on Wednesday an operation on 22 March that copied and removed malware known as “Cyclops Blink” from the Botnet’s command-and-control devices.

And it disrupted the GRU’s control over thousands of infected devices worldwide, although infected device owners now need to take steps to remove the malware from their infected devices.

Russian special forces © Darren Baker, Shutterstock 2012

GRU control

The botnet was controlled by a known threat actor that security researchers have called Sandworm.

However the US government has previously attributed Sandworm to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).

The DoJ said the operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.

Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide (i.e. the bots), the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control.

“This court-authorised removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.

US, UK action

“By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyse the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity,” said Olsen.

“This operation is an example of the FBI’s commitment to combatting cyber threats through our unique authorities, capabilities, and co-ordination with our partners,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.

“As the lead domestic law enforcement and intelligence agency, we will continue pursuing cyber actors that threaten the national security and public safety of the American people, our private sector partners and our international partners,” said Vorndran.

The DoJ pointed out that on 23 February, the UK’s National Cyber Security Centre, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency released an advisory identifying the Cyclops Blink malware, which targets network devices manufactured by WatchGuard Technologies and ASUSTek Computer.

These network devices are often located on the perimeter of a victim’s computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks.

The same day as the advisory, WatchGuard released detection and remediation tools for users of WatchGuard devices.

GRU activities

As explained in the advisory, the malware appeared to have emerged as early as June 2019, and was the apparent successor to another Sandworm botnet called VPNFilter, which the Department of Justice disrupted through a court-authorised operation in 2018.

The GRU are responsible for many well known cyberattacks in recent years.

In October 2020, the UK’s NCSC uncovered malicious cyber activity from Russia’s GRU military intelligence service against organisations involved in the 2020 Olympic and Paralympic Games, which resulted in the US Department of Justice charging six Russian GRU officers.

The GRU’s attacks have also used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.