Major Russian cyberattack globally halted by intelligence agencies in the Netherlands

Thousands of routers owned by small businesses and homes in the Netherlands were hacked in what appears to be a botnet operation by a dangerous Russian hacking group. According to early reports, these devices were compromised by Unit 74455, also known as Sandworm or BlackEnergy.

MIVD, a Dutch military intelligence group, managed to track down the compromised routers after a thorough investigation so it is in the process of notifying victims. So far the exact number of devices hacked has not been confirmed, although experts believe that a few dozen attacks could be confirmed.

For cybersecurity specialists it is curious that the intelligence agency is making public the details about its investigation, although the director of MIVD Jan Swillens considers that transparency is necessary in this type of cases: “The threat is sometimes closer than you think. We want the Dutch to be aware of this cyberattack orchestrated by a state actor.”

Cybersecurity researchers mention that Unit 74455 is part of Russia’s military intelligence service and is considered by many to be one of the most dangerous cybercriminal groups in the world, responsible for several of the most notable attacks in recent years. Between 2015 and 2017 this group achieved a massive disruption of electricity services in Ukraine, in addition to launching other massive attacks against other areas of critical infrastructure on Ukrainian territory.

The attack reported by MIVD follows warnings from the British and American security services, which claimed that Russian hacking groups could be about to deploy powerful attacks using a new type of malware known as CyclopsBlink. This malware variant is introduced into WatchGuard’s routers and firewall solutions to add the affected devices to a massive botnet.

Specialists point out that CyclopsBlink is installed as part of a supposed update and then remains on the affected router. Individuals and companies that have modified the default settings and enabled external access are vulnerable, according to reports collected so far.

Once installed, the malware communicates with the attackers’ systems. The botnet can be controlled centrally and collectively and can be used for espionage, influence and sabotage purposes. The threat is considered active, so network device administrators should take all possible security measures to prevent these attacks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.