What is Cyclops Blink? How does it work?

In February 2022, US and UK cybersecurity and law enforcement organizations published a joint report about a new type of malware they discovered. Cyclops Blink is a state-sponsored botnet that affected several routers and firewall appliances created by WatchGuard and Asus.

According to the investigation, Cyclops Blink belongs to Sandworm, a notorious hacker group linked to the Russian government. Sandworm has targeted many victims, including government organizations, energy companies, telecommunications firms, academic institutions, and critical infrastructure. Its operations have spanned different regions, with notable targets in Ukraine, Europe, and the US.

The roots of Cyclops Blink go back to 2018 when intelligence agencies in the US confirmed the existence of VPNFilter malware. Let’s have a look at both of these malicious programs.

A detailed explanation of Cyclops Blink

Cyclops Blink is modular malware, making it an advanced threat. Modular malware attacks a system in different stages. Instead of coming like a wrecking ball through the front door, it first installs essential components only. Think of these components as scouts that analyze the system and its vulnerabilities.

After the initial sniffing, modular malware comes in with full force. In the case of Cyclops Blink, the infection happens by exploiting the system’s code, which allows a privilege escalation. This malware takes over the device’s control. Cyclops Blink starts acting as a command and control server. Its modular software design allows this malware to be resilient to firmware upgrades. That means eliminating it isn’t easy, and devices can remain vulnerable for a long time.

Link to the VPNFilter malware

The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Center (NCSC) describe Cyclops Blink as a beneficiary of another Sandworm tool, VPNFilter. This malware infected over half a million routers to form a global botnet. In 2018, Cisco Inc. and the FBI successfully identified it and disassembled the VPNFilter malware.

However, it never disappeared completely. According to the intelligence agencies, instead of upgrading the VPNFilter, the Sandworm group preferred to create a new tool. That is probably why Cyclops Blink emerged.

Sandworm deployed VPNFilter in different stages, with most functionality appearing in the third stage. The modules of this stage enabled traffic manipulation and the demolition of the infected host device and likely allowed exploitation of downstream devices.

CISA and NCSC discovered that the underlying victim devices worldwide were small office/home office (SOHO) gadgets from WatchGuard (WatchGuard Firebox appliances). Cyclops Blink has been attacking WatchGuard’s firewall devices since at least June 2019.

Another version of this malware targets Asus devices. It’s capable of reading the flash memory of a router to gather information about critical files, executables, data, and libraries. Cyclops Blink then receives a command to nest in the flash memory and establish permanent persistence.

Even though the research revealed that business customers were a more likely target of Cyclops Blink, it is hard to tell how the attackers choose their targets. The malware probably attacked the most vulnerable devices to create a botnet that could conduct even bigger attacks in the future.

Cyclops Blink malware is a serious threat to any network’s security. Suppose the malware manages to infect a device. In that case, Cyclops Blink can command and control it to carry out attacks such as distributed denial-of-service (DDoS) attacks or data theft as well as send spam messages.

Cyclops Blink’s resistance to defense mechanisms makes it a headache for every software developer. Since this malware came to light, Asus and WatchGuard have worked closely with the investigators to create necessary protective updates.

The joint investigation of the FBI, CISA, the US Department of Justice, and the UK National Cyber Security Centre revealed that the malicious actor known as Sandworm or Voodoo Bear is responsible for the Cyclops Blink botnet.

The Sandworm group has attacked Ukrainian companies and government agencies on multiple occasions. They were also responsible for destroying entire Ukrainian networks and carrying out attacks against the Winter Olympics in 2018 as well as many other evil acts. Voodoo Bear remains one of the most dangerous hacker groups in the world.

Since Cyclops Blink became apparent, WatchGuard and Asus took necessary precautions to protect their users. While Asus released a few security updates to prevent a router attack, WatchGuard has created a set of Cyclops Blink detection and remediation tools and a plan to help customers diagnose and avert future infections.

The plan consists of four steps: diagnose, remediate, prevent, and investigate. Let’s have a brief look at all of them.

How to diagnose Cyclops Blink

WatchGuard has three tools to help diagnose if Sandworm malware affected your Firebox: Cyclops Blink Web Detector, WatchGuard System Manager Cyclops Blink Detector, and WatchGuard Cloud Cyclops Blink Detector. Use them to protect your software.

How to remediate your Firebox software

• Infected WatchGuard devices must be in recovery mode if you want to remediate the threat. Then you should use the WSM Quick Setup Wizard to upgrade to the latest Fireware version.
• After remediation, the only way to ensure a device is not re-infected is to build a new configuration file.
• To complete remediation, you must have physical access to the Firebox. If you cannot get it, you can use RapidDeploy or WatchGuard Cloud templates to start work on a new configuration file or configuration settings.

How to prevent Cyclops Blink infection

• Whether your Firebox was infected or not, it’s crucial to run the latest version of Fireware on your Firebox.
• Planning to update the Firebox “status” and “admin” passphrases regularly is also essential. You should have unique passwords for each Firebox you manage and change them frequently.
• Ensure the policies that control firewall management don’t allow unrestricted access to the Internet.

Investigate Cyclops Blink infection

If you suspect that Sandworm malware has infected your Firebox, use the steps outlined above to conduct a forensic investigation of your network and to protect it from future infections.