A row of computers is seen at the FBI’s Jacksonville, Fla., field office. File Photo courtesy U.S. Federal Bureau of Investigation
April 7 (UPI) — The FBI removed malware from a network of hacked computers, which infected thousands of devices worldwide under the control of a Russian state-sponsored threat actor dubbed Sandworm.
The U.S. Department of Justice announced on Wednesday the court-authorized disruption of the so-called “botnet,” a network of computers infected by malware and controlled by a hacker, in March.
“The court-authorized removal of malware deployed by the Russian GRU (foreign military intelligence agency) demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” Attorney General Matthew G. Olsen, of the Justice Department’s National Security Division, said in a statement.
“By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes.”
Following the court order on March 18, the FBI was successful at copying and removing the malware from all remaining firewall devices that Sandworm used for command and control servers of the underlying network, which severed the devices from Sandworm’s control.
Still, the Justice Department cautioned that devices that were used for the malware may remain vulnerable to Sandworm if their owners do not follow WatchGuard and ASUTek Computer technology companies recommended detection and remediation steps.
The FBI, Cybersecurity and Infrastructure Security Agency, the National Security Agency and Britain’s National Cyber Security Center released an advisory on Feb. 23, identifying the threat actor as Sandworm or Voodoo Bear, and referring to the malware as Cyclops Blink.
On the same day the advisory was released, WatchGuard released detection and remediation tools to remove malware infection and update devices, and later ASUTek also released guidance to mitigate the threat posed by the Cyclops Blink malware, according to the Justice Department’s statement.
The advisories began to address the problem, but a majority of the command and control server devices remained compromised until the FBI closed the external management ports that Sandworm was using to access them following the court order on March 18.
The malware was the apparent successor to another Sandworm botnet called VPNFilter, which the Justice Department disrupted through another court-authorized operation in 2018, the statement noted.
The advisory also listed previous malicious cyber activity attributed to Sandworm, with the BlackEnergy disruption of Ukrainian electricity in 2015, attacks against the Winter Olympics and Paralympics in 2018, and cyberattacks against the country of Georgia, being among them.