The US has disrupted a large global botnet operated by Russia’s GRU military intelligence agency. The US Attorney General Merrick Garland made the announcement on Wednesday.
“Fortunately, we were able to disrupt this botnet before it could be used. Thanks to our close work with international partners, we were able to detect the infection of thousands of network hardware devices,” said Garland.
“We were then able to disable the GRU’s control over those devices before the botnet could be weaponised.”
Russia has launched a number of cyberattacks in recent months. On the day Russia invaded Ukraine, a cyberattack was launched targeting satellite operator Viasat. The cyberattack, which used malware linked to Russia, caused an outage that impacted thousands of customers not just in Ukraine but across Europe.
The cyberattack on Viasat spilt over and rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control. Had it hit something more critical, there could have been a serious escalation. NATO has been clear that a cyberattack on a member could trigger a collective response from the alliance.
Western countries have been preparing for a large-scale cyberattack from Russia in response to their support for Ukraine.
Additional sanctions announced by the US, UK, and EU this week in response to the evidence of Russian forces committing war crimes – such as rape, torture, and the execution of civilians, including women and children – have increased the likelihood of Russia using a cyberattack as revenge.
“This court-authorised removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.
The operation disrupted a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the US government has previously attributed to GRU.
The malware itself was known as ‘Cyclops Blink’ which the UK’s National Cyber Security Centre, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, and the National Security Agency identified on 23 February 2022. Cyclops Blink is the apparent successor to another Sandworm-linked botnet known as VPNFilter. The malware was first exposed by Cisco Talos in 2018. The malware is sophisticated and modular with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.