UK, US warn Russian malware spotted in the wild

The UK and US governments are warning of newly-documented malware that attacks SOHO routers, firewalls and NAS devices.

Called Cyclops Blink, America’s CISA attributed the malware to Russia’s GRU (Moscow’s General Staff Main Intelligence Directorate), since the malware replaces the VPNFilter previously operated by the GRU.

The malware has been active since June 2019, the security agencies say.

So far, the new malware has only been seen on WatchGuard Firebox firewalls, and only if users have changed the default settings to allow remote access to route management interfaces. 

The company says Cyclops Blink has infected 1 percent of active firewalls, and so far, it knows of no data exfiltration from either WatchGuard or its customers.

WatchGuard has published a Cyclops Blink detection tool, along with remediation instructions.

Modular

Like VPNFilter, Cyclops Blink is a modular system. 

As the NCSC explains: “The malware itself is sophisticated and modular with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed.”

The malware is installed as a firmware upgrade, with compromised firewalls then put under the control of a command and control network.

The CISA explained: “Victim devices are organized into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses. All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices.

England’s NCSC (part of GCHQ(, which worked with the CISA on analysing Cyclops Blink, has released a technical analysis (PDF) of the malware, as has the NSA (PDF).

That document explained that Cyclops Blink is a Linux executable compiled for the 32-bit PowerPC architecture, which WatchGuard mostly uses for lower-end devices.

Command and control communications use “a custom binary protocol under TLS”, and messages are individually encrypted.

The CISA said if a user discovers a Cyclops Blink infection, they should “assume that any passwords present on the device have been compromised and replace them”, and users should also “ensure that the management interface of network devices is not exposed to the internet.”

Sandworm, also known as Voodoo Bear, has been active for some years, and was associated with snooping on NASA and other organisations via a bug in Windows, the 2018 attacks on Ukrainian energy and transport companies, and a 2020 exploit for the EXIM email message transfer agent.