US Cyber Agencies and UK Issue Advisory on New Sandworm Malware Targeting Network Devices

US Cyber Agencies and UK Issue Advisory on New Sandworm Malware Targeting Network Devices

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the U.K. National Cyber Security Centre (NCSC), FBI, and NSA, has jointly published an advisory to alert organizations of new malware, Cyclops Blink, which is used by the threat actor known as Sandworm or Voodoo Bear. The NCSC, CISA, and the FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies.

Since at least 2019, the malicious actor has been identified using Cyclops Blink to target network devices. It appears to be indiscriminate and widespread. So far, the actor has primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware. Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers and network attached storage devices.

Cyclops Blink persists on reboot and throughout the legitimate firmware update process, and therefore to remove the malware, organizations should refer to vendor guidance. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed.

In addition to this latest advisory, we also encourage all organizations to review our Shields Up webpage to find recommended actions on protecting their most critical assets from threat actors.

The advisory can be found at cisa.gov/uscert/ncas/alerts/aa22-054a. For more information on Russian state-sponsored activity, see Russia Cyber Threat Overview and Advisories.

We encourage you to share this information widely.

Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
Cell:  217-299-3954 | steven.lyddon@cisa.dhs.gov