US says it disrupted Russian botnet 'before it could be weaponized' - CyberScoop
2022-04-06 12:13 (EST) - Joe Warminsky
Written by Apr 6, 2022 | CYBERSCOOP
The U.S. government disrupted a botnet built by the Sandworm hacking group of Russia’s GRU intelligence agency before it could be used for malicious purposes, officials said Wednesday at a news conference.
“Thanks to our close work with international partners, we were able to detect the infection of thousands of network hardware devices,” Attorney General Merrick Garland said. “We were then able to disable the GRU’s control over those devices before the botnet could be weaponized.”
Botnets, which infect internet-connected devices to spread malware or perform other disruptive tasks, have long been a part of the playbook for Russian state-backed hackers. Sandworm has been blamed for multiple high-profile cyberattacks around the world, including the shutdown of Ukrainian electrical grid in 2015 and the worldwide NotPetya cyberattacks in 2017.
“[I]t does not matter how cleverly you write your malware or hide your online activity,” Garland said. “The Justice Department will use every available tool to find you, disrupt your plots and hold you accountable.”
FBI Director Christopher Wray said the botnet used the “Cyclops Blink” code that U.S. and U.K. cyber agencies had attributed to Sandworm in a recent alert . The botnet targeted Watchguard’s Firebox firewall hardware, which is often installed by small and mid-sized businesses.
The takedown of Cyclops Blink was “a sophisticated, court-authorized operation” that involved removing malware from thousands of devices, Wray said.
“And then we shut the door the Russians had used to get into them,” he said.
Wray said the U.S. government worked closely with Watchguard to develop “detection tools and remediation techniques” in recent weeks. Even though the botnet has been disrupted, owners of Firebox devices should still follow Watchguard’s instructions for updating the hardware, he said.
Cybersecurity researchers at Trend Micro expanded on the U.S. and U.K. warning on March 17, reporting that more brands of devices could be affected.
ONE OF MANY
Federal agencies have outed several other Russia-linked cyber-operations since Moscow ramped up its hostilities against Ukraine earlier this year. This month the Justice Department announced the indictment of Russians allegedly associated with the Trisis malware that attacked a Saudi petrochemical plant in 2017. And White House officials have repeatedly warned about the potential for Russia-backed cyberattacks on U.S. businesses and infrastructure.
Gen. Paul Nakasone, director of the NSA and U.S. Cyber Command, told lawmakers Tuesday that American personnel have worked side-by-side with Ukrainian partners to “hunt forward” for malicious activity.
Ukrainian government officials also have provided regular updates about Russian cyber-activity. On Tuesday, the country’s Computer Emergency Response Team said a group known as Gamaredon or Armageddon had unsuccessfully sent phishing emails with malicious attachments designed to look like documents about purported Russian war crimes.
Russian-language cybercrime groups also are known for deploying botnets, including Trickbot and Emotet , which have been the target of cyber-operations by Western governments and corporations. Both of those botnets can be linked to the infamous Conti cybercrime organization , cybersecurity researchers say.
Garland’s announcement comes a day after German authorities, with the backing of the Justice Department and other U.S. agencies, took down the Russian-language Hydra dark web marketplace .
Updated 4/6/22: with more comments from news conference.
botnets , , GRU , Merrick Garland , nsa , Paul Nakasone , Russia , , Sandworm , U.S. Cyber Command
