Watchguard firewalls and ASUS routers in the U.S. are being attacked by the Russian government: How to fix it?

U.S. authorities announced the closure of the Cyclops Blink botnet, run by the Sandworm hacking group, allegedly funded by the Russian government. The malware used by this group mainly targets ASUS routers and WatchGuard Firebox firewalls.

The researchers mention that Cyclops Blink allowed threat actors to gain persistence on affected devices through firmware updates, providing remote access to affected networks. The botnet malware is modular, making it easy to upgrade to infect new devices and access new pools of vulnerable hardware.

U.S. Attorney General Merrick Garland has attributed this activity to the Russian military intelligence agency, known as GRU: “The Russian government has used similar infrastructure to attack its targets in Ukraine. We were able to disrupt this botnet before it could be used in bulk thanks to our work with international agencies.”

This research work made it possible to remove malware from all Watchguard devices identified as C&C servers. For its part, the Federal Bureau of Investigation (FBI) notified the owners of compromised devices in the United States and other regions of the world.

Chris Wray, director of the FBI, mentions that the botnet was shut down following close cooperation with Watchguard while analyzing the malware and developing compromise detection tools: “As we move forward, any Firebox device that acted as a bot may remain vulnerable in the future until its owners mitigate the flaws. Therefore, those owners still need to go ahead and take the detection and remediation steps recommended by the manufacturer.”

Sandworm and the Russian government

Also known as Voodoo Bear, BlackEnergy and TeleBots, this hacking group has been active for more than 15 years and is believed to be made up of military-trained hackers, who are part of Unit 74455, part of the GRU Special Technologies Center.

Between 2015 and 2016, Sandworm hackers were linked to the BlackEnergy malware, the tool responsible for the massive blackouts in Ukraine. Other disruptive tools allegedly linked to Sandworm are KillDisk and NotPetya, malware variants that caused millions of dollars in losses years ago.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.