As the war in Ukraine continues, the United States remains under heightened threat of Russian cyberattacks.
The FBI recently announced that it has been silently removing malware to thwart Russian cyberattacks against the U.S. and other targets. The agency’s secret operation is the latest effort from the Biden administration to undermine and publicize Russian offensives before they have their intended effect.
Despite the FBI operation, Russia remains a threat to organizations around the world. Some American officials even fear that a major cyber operation could be used to damage the U.S. economy. The Biden administration urges U.S. critical infrastructure companies –financial firms, pipelines, the electric grid–to remain especially vigilant as the war continues and sanctions against Russia escalate.
Attacks Were Anticipated
Russian hackers have a reputation for attacks on the U.S. and its allies. In 2015, hackers likely working for the Russian government broke into the State Department email system. In 2016, a group of Russian origin appears to have leaked the emails of the Democratic National Committee and other officials. The massive SolarWinds cyberattack was also perpetuated by a group working for the Russian government.
While the U.S. is opposed to becoming involved in any physical warfare that could escalate dangerously, thwarting cyberattacks is another story.
Experts anticipated that Russian military aggression on the ground and in the air would be matched with military aggression in cyberspace. As a result, CISA issued its first alert related to Russia’s military action near Ukraine in January 2022. This early warning provided the public with an overview of Russian state-sponsored cyber operations and common tactics.
CISA followed the early warning with a “Shields Up” alert in mid March. This alert noted that “Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks.”
The Mechanism of Attack
The Justice Department identified the current Russian threat as a type of malware that connects thousands of private computers to a botnet called Cyclops Blink. The botnet was under the control of a threat actor known as Sandworm, an entity linked to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).
Cyclops Blink is Sandworm’s latest known botnet, replacing VPNFilter, a malware framework first exposed in 2018.
The FBI disconnected the networks before their intent became obvious. But it could have been used for anything from spying to DDoS attacks to compromising sensitive information.
The Response
In cooperation with CISA, the NSA, and the UK’s National Cyber Security Centre, the FBI released an advisory about Cyclops Blink after it was discovered in February. The attack targets network devices manufactured by WatchGuard and ASUS. These devices typically operate on the perimeter of networks, providing Sandworm with the potential to infect and conduct malicious activities on all devices within those networks.
Along with the government advisory, both WatchGuard and ASUS released detection and remediation tools for users. Thousands of compromised devices used these tools to successfully remediate the attacks. However, many more devices remained compromised and needed to be repaired in order to protect national security.
The FBI pursued a secret court order that allowed them to go into domestic corporate networks and remotely remove the malware. Sometimes companies did not even know that the FBI was protecting their devices. After the compromised devices were disinfected, the feds also closed the external management ports that Sandworm was using for access.
What Should Companies Do Now?
The FBI advises network defenders and device owners to review the February 23 guidance and WatchGuard and ASUS releases and take action where indicated.
Similar (or new) Russian cyberattacks could continue. Critical infrastructure companies are at high risk. Utility companies in particular need to upgrade systems if they are going to successfully face off with potential nation state threat actors.
With our highly integrated systems, every organization needs to remain on alert to protect the country from threats. Patching, assessing risk, and training employees on potential threats remains critical.
If you need help assessing your risk in the current climate, Asylas is here. Reach us at 615-622-4591 or info@asylas.com. Or complete our contact form.