CISA Warns of New Malware Framework Used by Russian 'Sandworm' Hacking Team

The infamous Sandworm, aka Voodoo Bear, hacking team tied to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST) has changed up its malware infrastructure, according to an advisory issued today from the UK National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI. 

Sandworm has a vast resume of destructive attacks: the BlackEnergy attack on Ukraine's power systems in 2015, the Industroyer attack against Ukraine in 2016, the NotPetya destructive data-wiping attacks in 2017, distribution denial-of-service attacks against the nation of Georgia in 2019, and disruptive attacks against the Winter Olympics and Paralympics in 2018.

The so-called Cyclops Blink modular malware framework has been in action by Sandworm since at least June 2019, according to the agencies. Cyclops Blink is typically injected via a malicious firmware update once the victim's network has been infiltrated. The malware replaces the group's VPNFilter infrastructure, which was disrupted by the Justice Department in May 2018. 

"The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware," the advisory says, noting that only Watchguard devices that were reset to open remote-management interfaces can be infected with the malware.

The full report, prepared by the NCSC, provides details on the Cyclops Blink malware and indicators of compromise.