For the second time in a year the FBI has used search-and-seizure warrants to clean malware from devices owned by private businesses and users without their explicit approval. The agency used this approach to disrupt a botnet believed to be the creation of Russian government hackers.
The operation targeted the Cyclops Blink malware that was discovered earlier this year and is attributed to a group known in the security industry as Sandworm, which the U.S. and UK intelligence agencies believe is a unit within the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).
What is Cyclops Blink?
Cyclops Blink is a modular malware program designed to infect and control network hardware devices such as routers and firewalls. The UK National Cyber Security Centre (NCSC) in collaboration with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released an advisory about in February naming WatchGuard Firebox firewall devices as one of the malware’s targets. Since then, routers made by ASUS have also been confirmed as targets for the botnet.
Cyclops Blink is believed to be a replacement for VPNFilter, another malware program that infected over 500,000 home and small business routers made by various network hardware manufacturers including Linksys, MikroTik, Netgear, QNAP, and TP-Link. VPNFilter had modules that enabled traffic monitoring and manipulation and allowed downstream devices to be attacked. One module enabled the monitoring of Modbus SCADA protocols, which are used in industrial control environments.
The FBI dismantled the VPNFilter botnet after the agency seized the domain name that the attackers used to control it and issued commands to reboot the devices. That action did not completely remove the malware from all devices. According to research by security firm Trend Micro, as of January 2021, a third of devices infected with VPNFilter were still compromised.
However, given that their malware operation had been blown, the Sandworm group preferred to retool and developed Cyclops Blink, which is believed to have been in operation since at least June 2019. Like VPNFilter, Cyclops Blink can download and execute additional modules that extend its functionality, but it is more persistent because it’s deployed as part of a firmware upgrade and its command-and-control (C2) mechanism is more complex.
In particular, each device infected with Cyclops Blink contains a hardcoded list of C2 servers. These servers serve a relay role and are all connected to a central command panel used by the attackers and hosted on the Tor network.
How did the FBI disrupt the botnet?
FBI agents managed to recover a firmware image from one of the compromised WatchGuard devices with the owner’s approval and used it to study the malware. They also monitored the traffic of the infected device which allowed them to identify one of the C2 relay servers located in the U.S.
The agents then obtained access to the server and analyzed how it worked. This provided the information that every C2 server used a digital certificate with particular characteristics that was deployed by the attackers. By scanning the internet for these characteristics, the agency managed to identify 38 Cyclops Blink C2 servers, 22 of them based in the U.S. They then obtained a search-and-seizure warrant to take control of some of the servers.
The agency also developed a technique that allowed it to impersonate the attacker’s Tor-hosted control panel to the servers, allowing them to issue commands that would be relayed to the bots served by those servers. The agency then worked with WatchGuard and other law enforcement partners to develop and test a cleanup strategy that involves sending a series of commands to the infected devices.
According to an unsealed affidavit, these commands achieve the following goals: Confirm the presence of the malware binary (known as CPD) on the device, log the serial number of the infected device, retrieve a copy of the malware and its list of hardcoded C2 servers, remove the CPD malware from the device, and add firewall rules to the device that would block remote access to the management interface.
The last step is important because the Sandworm attackers exploited an authentication bypass vulnerability (CVE-2022-23176) in the devices to access their management interfaces if they were configured for remote administration from the internet. By adding firewall rules to block this access, the FBI prevented the Sandworm attackers from compromising the devices again. However, the agency noted that these firewall rules are not persistent and device owners can simply reboot their devices to return them to the previous configuration.
In the affidavit, which was filed in support of the agency’s request for a search-and-seizure warrant to allow the operation, the FBI agents note that none of the commands allow the agency to view or retrieve a device owner’s content or data and that the technique was tested in advance to make sure it doesn’t impact the device’s functionality in any way.
The FBI obtained search warrants from the Western District Court in Pennsylvania and Eastern District Court in California to execute the commands from at least two C2 servers. While this is not the first time law enforcement agencies, including the FBI, used search warrants to issue commands to botnets via seized C2 servers, extracting evidence from those devices such as a copy of the malware without the owner’s approval is relatively new.
The agency used a similar approach in April last year to copy and then remove web shells deployed by a Chinese cyberespionage group called Hafnium on Microsoft Exchange servers that had been compromised through zero-day vulnerabilities. The operation raised questions about privacy and transparency.
The Federal Rule of Criminal Procedure requires officers to make “reasonable efforts to serve a copy of the warrant and receipt on the person whose property is searched” when dealing with remote access to electronic storage and the seizure of electronically stored information. However, such notifications can be accomplished by any means, including electronic ones, that have a “reasonably calculated” chance of reaching that person. To comply with this requirement, the FBI sent emails, including a copy of the warrants, to the email addresses associated with the domain names associated with the IP addresses of the infected devices. If the domains used a privacy service that hid the associated email address, the FBI contacted the IP owners’ domain registrars and ISP and asked them to notify their customers.
Who is Sandworm?
The Sandworm group is believed to be the Russian government’s most proficient hacking team. The group has been responsible for attacks against Ukraine’s energy infrastructure in 2015 with the Black Energy malware and in 2016 with the Industroyer malware. It has also been responsible for the destructive NotPetya pseudo-ransomware attack in 2017 and the attacks against Winter Olympics IT infrastructure in 2018. The 2019 attacks against government and private websites in Georgia have also been attributed by the U.S. and UK intelligence agencies to Sandworm.
The group, also known as Voodoo Bear or GRU Unit 74455, is believed to be one of multiple units inside the GRU that engage in cyber operations. Another other one is APT28, also known as Fancy Bear in the security industry. Sandworm, which has been active since at least 2009 and operates out of the GRU’s Main Center for Special Technologies (GTsST) military unit 74455, is generally tasked with destructive sabotage-style attacks, while APT28, or the GRU’s 85th Main Special Service Center (GTsSS) military unit 26165, typically engages in cyberespionage and misinformation campaigns.
In October 2020, the Department of Justice indicted six GRU officers for their roles in cyberattacks attributed to Sandworm.
Copyright © 2022 IDG Communications, Inc.
