Hackers for one of Russia’s most elite and brazen spy agencies have infected home and small-office network devices around the world with a previously unseen malware that turns them into attack platforms that can steal confidential data and target other networks.
Cyclops Blink, as the advanced malware has been dubbed, has infected about 1 percent of network firewall devices made by network device manufacturer Watchguard, the company said on Wednesday. The malware is able to abuse a legitimate firmware update mechanism found in infected devices in a way that gives it persistence, meaning it survives reboots.
Like VPNFilter, but stealthier
Cyclops Blink has been circulating for almost three years and replaces VPNFilter, the malware that in 2018 researchers found infecting about 500,000 home and small office routers. It contained a veritable Swiss Army Knife that allowed hackers to steal or manipulate traffic and to monitor some SCADA protocols used by industrial control systems. The US Department of Justice linked the hacks to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, typically abbreviated as the GRU.
With VPNFilter exposed, Sandworm hackers built a new malware for infecting network devices. Like its predecessor, Cyclops Blink has all the trappings of professionally developed firmware, but it also has new tricks that make it stealthier and harder to disinfect.
“The malware itself is sophisticated and modular with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed,” officials with the UK’s National Cyber Security Center wrote in an advisory. “There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.”
Holding the WatchGuard hostage
So far, the advisory stated, Sandworm has “primarily” used the malware to infect network devices from WatchGuard, but it’s likely the hackers are able to compile it to run on other platforms as well. The malware gains persistence on WatchGuard devices by abusing the legitimate process they use to receive firmware updates.
The malware starts by copying firmware images stored on the device and modifying them to include malicious functionality. Cyclops Blink then manipulates an HMAC value used to cryptographically prove the image is legitimate so devices will run it. The process looks like this:
The malware contains a hard-coded RSA public key, which is used for C2 communications, as well as
a hard-coded RSA private key and X.509 certificate, but they don’t appear to be actively used within the samples analyzed by the UK officials, making it possible that they’re intended to be used by a separate module.
Cyclops Blink uses the OpenSSL cryptography library to encrypt communications underneath encryption provided by TLS.
“Each time the malware beacons it randomly selects a destination from the current list of C2 server IPv4
addresses and hard-coded list of C2 ports,” Wednesday’s advisory stated. “Beacons consist of queued messages containing data from running modules. Each message is individually encrypted using AES-256-CBC. The
OpenSSL_EVP_SealInit function is used to randomly generate the encryption key and IV for each message, and then encrypt them using the hard-coded RSA public key. The OpenSSL_RSA_public_decrypt function is used to decrypt tasking, received in response to beacons, using the hard-coded RSA public key.”
Other new measures for stealth include use of the Tor privacy network to conceal the IP addresses used by the malware. UK officials wrote:
Victim devices are organised into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses (T1008). All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS) (T1071.001), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network:
WatchGuard said it retained security firm Mandiant to investigate the infections and has also been working with law enforcement.
“WatchGuard has concluded, based on our own investigation, an investigation conducted jointly with Mandiant, and information provided by the FBI, that there is no evidence of data exfiltration from WatchGuard or its customers, and firewall appliances are not at risk if they were never configured to allow unrestricted management access from the Internet” company officials wrote. The document also includes a list of indicators WatchGuard customers can use to detect infections and steps they can take to disinfect them.
Sandworm is among the world’s most advanced—not to mention cut-throat—outfits that has been behind almost two decades of ambitious and destructive cyberattacks. Examples include:
WIRED journalist Andy Greenberg in 2019 published Sandworm, a book that chronicles the hacks and the geopolitical tensions they exploit. Wednesday’s advisory said that Cyclops Blink has the potential to infect a large number of devices.
“In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread,” UK officials wrote. “The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.”