UPDATE: March 18, 2022: A new variant of Cyclops Blink, the botnet linked to a Russian state-sponsored threat actor, is now targeting Asus routers, according to a blogpost from TrendMicro.
Asus has also issued a security bulletin that outlines mitigation steps and a list of affected products.
UPDATE: Feb. 28, 2022: The FBI and Cybersecurity Infrastructure Security Agency are warning organizations to take precautions against destructive malware, including WhisperGate and HermeticWiper, which are spreading in connection to the Russia invasion of Ukraine.
HermeticWiper was found on hundreds of machines in Ukraine last week, while WhisperGate was originally deployed in January.
Dive Brief:
-
U.S. and U.K. authorities on Wednesday warned of a new sophisticated state-sponsored botnet called Cyclops Blink, which uses WatchGuard firewall appliances to spread destructive malware. Sandworm, also known as Voodoo Bear, is the threat actor behind the botnet.
-
Also, on Wednesday and Thursday, researchers from ESET and Symantec detected a destructive new malware, dubbed HermeticWiper, on hundreds of machines in Ukraine, the latest in a long-anticipated series of cyberattacks linked to Russia.
-
A new round of DDoS attacks targeted Ukraine government ministries and banks just hours before the wiper malware was detected and multiple cities in Ukraine came under attack from artillery fire.
Dive Insight:
Cyclops Blink malware is a more sophisticated version of the VPNFilter malware that was previously used for attacks using SOHO routers and network attached storage devices.
VPNFilter malware was also deployed in South Korea before the 2018 Winter Olympic Games, but it was exposed by Cisco Talos, leading to its eventual disruption by federal authorities.
WatchGuard officials said they are working with authorities to mitigate the impact of Cyclops Blink. The malware may have impacted 1% of active firewall appliances, but it has not spread to other products, WatchGuard said. There is no evidence of stolen data and the company’s own networks have not been breached.
"In light of the crisis in Ukraine we are very concerned about this actor, who has surpassed all others we track in terms of the aggressive cyber attacks and information operations they have conducted," John Hultquist, Mandiant Threat Intelligence, said by email. "No other Russian threat actor has been so brazen and successful in disrupting critical infrastructure in Ukraine and elsewhere."
U.S. authorities have warned for months about the potential collateral damage of a Russian military incursion into Ukraine. The new cyber activity could ricochet through multinational businesses, supply chains and key infrastructure facilities, like transportation, energy and healthcare.
Widespread business disruption was a byproduct of the 2017 NotPetya attack.
So far, researchers have detected the HermeticWiper on machines in Ukraine and nearby countries Latvia and Lithuania. The wiper abuses legitimate drivers from EaseUS Partition Master software to corrupt data, according to ESET researchers.
The wiper uses a code-signing certificate issued to a Cyprus-based firm called Hermitica Digital, ESET found. Timestamp data shows the malware may have been in the works since Dec. 28, 2021.
Researchers at SentinelOne said the wiper attacks Microsoft Windows devices and manipulates the master boot record after a reboot.
The latest wiper follows a data wiping malware called WhisperGate, which was unleashed in Ukraine last month.
Western authorities have previously linked the threat actor known as Sandworm to the special technology branch of Russia's intelligence arm, the Main Intelligence Directorate's (GRU) Main Centre for Special Technologies (GTsST).
Sandworm was also linked to the 2015 Black Energy attacks and the 2017 NotPetya campaign, according to a joint report from the FBI, National Security Agency and cybersecurity authorities in both countries.
The new revelations indicate Sandworm remains a very capable adversary after numerous years in the field, according to security researchers.