The Department of Justice (DoJ) and FBI said this week they worked together to disrupt a botnet comprised of thousands of infected network hardware devices and controlled by the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).
The agencies disrupted the botnet – a network of infected computers used to carry out cyberattacks – under a court-authorized operation conducted in March 2022, according to a DoJ press release.
“Fortunately, we were able to disrupt this botnet before it could be used,” Attorney General Merrick Garland said in a statement. “Thanks to our close work with international partners, we were able to detect the infection of thousands of network hardware devices.”
“We were then able to disable the GRU’s control over those devices before the botnet could be weaponized.”
The botnet was under the control of a threat actor known as Sandworm, which the U.S. government has previously attributed to the GRU. The agencies were able to identify and remove malware known as “Cyclops Blink,” which targets network devices manufactured by WatchGuard Technologies Inc. (WatchGuard) and ASUSTek Computer Inc. (ASUS).
Specifically, the agencies copied and removed the malware from “vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.”
Although the agencies did not access the Sandworm malware on the thousands of devices worldwide that comprise the botnet, DoJ said the disabling of the C2 mechanism “severed those bots from the Sandworm C2 devices’ control.”
“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division.
“By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity,” Olsen added. “The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes.”