Russia-linked Sandworm reportedly has retooled with ‘Cyclops Blink’

The "large-scale modular malware framework" has largely replaced the "VPNFilter" tools that Sandworm used before they were disrupted in 2018.
warning, alert
(Getty Images)

A long-running hacking group associated with Russian intelligence has developed a new set of tools to replace malware that was disrupted in 2018, according to an alert Wednesday from the U.S. and U.K. cybersecurity and law enforcement agencies.

The advanced persistent threat group, known primarily as Sandworm, is now using a “large-scale modular malware framework” that the agencies call Cyclops Blink. Western governments have blamed Sandworm for major incidents such as the disruption of Ukraine’s electricity grid in 2015, the the NotPetya attacks in 2017 and breaches of the Winter Olympics in 2018.

Cyclops Blink has largely replaced the VPNFilter malware in Sandworm’s activities since at least June 2019, said the joint alert from the U.K.’s National Cyber Security Centre (NCSC), and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, National Security Agency and FBI in the U.S. The NCSC also issued a separate analysis paper on Cyclops Blink.

The announcement arrives as one of Sandworm’s primary targets, Ukraine, faces a Russian invasion force within its borders. With that threat as a backdrop, U.S. and U.K. agencies hurried last week to attribute DDoS incidents against banking and government websites to Russia’s GRU. More DDoS attacks were reported Wednesday. John Hultquist, vice president of Threat Intelligence at Mandiant and an experienced tracker of Sandworm’s activities, tweeted that the timing of Wednesday’s alert “couldn’t have been much better.”


VPNFilter, used in the 2015 Ukraine attacks and 2018 Olympics incident, was exposed by cybersecurity researchers at Cisco Talos in 2018 and disrupted by the U.S. Department of Justice. Sandworm is typically linked to the GRU, Russia’s main intelligence directorate.

The new tools operate in a familiar fashion to VPNFilter by propagating through a custom botnet, the alert said. The chief targets are Firebox devices by WatchGuard, a manufacturer of firewall hardware for home offices and small networks. The Seattle-based company has been working closely with U.S. and U.K. agencies to block the malware on its products, the alert said.

“The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware,” the alert said.

The malware enters devices through a fake firmware update, according to the NCSC’s malware analysis, and can persist on a machine even after it has an authentic firmware update.

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts