In March, the Federal Bureau of Investigation (FBI) took down a large-scale botnet belonging to a Russian state-sponsored threat actor known as Sandworm.
According to a report by TechCrunch, Sandworm has infected thousands of endpoints with Cyclops Blink malware (opens in a new tab), the successor to the now-defunct VPNFilter. Cyclops Blink allows Sandworm to perform cyber espionage, launch Distributed Denial of Service (DDoS - opens in a new tab) attacks), manipulate compromised devices, and disrupt networks.
After receiving the green light from courts in California and Pennsylvania, the FBI removed Cyclops Blink from its C2 servers, taking thousands of compromised endpoints offline. The Justice Department declared the raid a success, but still advised device owners to review the original advisory and make their devices more secure.
Russian threats
Cyclops Blink had been active since February, the Department of Justice (DoJ) said, and while law enforcement managed to secure some of the compromised devices, most were still infected and used by threat actors.
"The operation did not involve any FBI communication with robots," the Justice Department added.
Sandworm is a known threat actor working for the GRU, the Russian military intelligence unit. He is also known as Voodoo Bear and Electrum, and was responsible for the DDoS attacks in Georgia in 2008, as well as the blackout in Ukraine in 2015.
According to the nonpartisan Council on Foreign Affairs, Sandworm primarily targets industrial control systems, using a tool known as Black Energy. In addition to cyber espionage, the group often engages in DoS attacks and is believed to be behind the 2017 NotPetya campaign.
The same year, he criticized political parties and local government agencies in France, including those linked to the president. And in 2020, the US National Security Agency (NSA) accused the group of attacking messaging services around the world.
"The actors exploited victims using Exim software on their public MTAs by sending a command to the 'MAIL FROM' field of an SMTP (Simple Mail Transfer Protocol) message," the NSA said at the time.
Via TechCrunch (Opens in a new tab)