Russian President Vladimir Putin with Chief of the General Staff of the Russian Armed Forces Valery Gerasimov at the Luzhsky training ground during the main stage of the joint Russian-Belarusian strategic exercise "Zapad-2017" (Kremlin.ru, CC BY 4.0, via Wikimedia Commons)
The United States announced last Wednesday that it had secretly removed a Russian malware from devices targeting thousands of small to medium businesses around the world. This news was announced by both the Federal Bureau of Investigation (FBI) Director Christopher Wray and Attorney General Merrick Garland. This is another development of Russian warfare, not just in Ukraine but also in the digital realm anywhere in the world.
FBI Director Christopher Wray announced the move, saying that it had conducted a sophisticated, court-authorized operation disrupting a “botnet” created by the Russian government’s intelligence agency, the GRU, specifically the GRU’s Sandworm Team. The botnet had allegedly infiltrated thousands of devices in several parts of the world.
“Today, we’re announcing a sophisticated, court-authorized operation disrupting a botnet of thousands of devices controlled by the Russian government—before it could do any harm. We removed malware from devices used by thousands of mostly small businesses for network security all over the world. And then we shut the door the Russians had used to get into them,” he stated.
In a separate news conference, Attorney General Merrick Garland announced the same operation for transparency.
“Fortunately, we were able to disrupt this botnet before it could be used. Thanks to our close work with international partners, we were able to detect the infection of thousands of network hardware devices. We were then able to disable the GRU’s control over those devices before the botnet could be weaponized.”
According to Wray, the malware known as “Cyclops Blink” was implanted on several thousand of WatchGuard Technologies’ Firebox devices and ASUSTek Computer Inc. (ASUS) devices. He explained that the Fireboxes were essentially firewalls typically used by small to medium-sized businesses to protect their computer systems and servers and that they were also common in home offices.
Sandworm would then combine these malware all together through their cyber technology and launch a series of orchestrated denial of service attacks. These distributed denial of service attacks, also known as DDoS attacks, are known in the cyber world as an attempt to disrupt a network’s normal traffic by overwhelming a system with internet traffic. In simple terms, it is like a traffic jam that prevents drivers from getting to their destination, preventing the person from becoming productive as they are stuck in traffic.
The botnet, comprised of individual bots, would send huge numbers of requests to the target’s IP address, leaving it overwhelmed so that the user cannot use its server or device. A DDoS is different from a denial-of-service (DoS) attack as DDoS utilizes multiple sources to launch the attack simultaneously, while a DoS attack would just come from one source. This is why a DDoS attacker is harder to pinpoint.
The United States announced last Wednesday that it had secretly removed a Russian malware from devices targeting thousands of small to medium businesses around the world. This news was announced by both the Federal Bureau of Investigation (FBI) Director Christopher Wray and Attorney General Merrick Garland. This is another development of Russian warfare, not just in Ukraine but also in the digital realm anywhere in the world.
FBI Director Christopher Wray announced the move, saying that it had conducted a sophisticated, court-authorized operation disrupting a “botnet” created by the Russian government’s intelligence agency, the GRU, specifically the GRU’s Sandworm Team. The botnet had allegedly infiltrated thousands of devices in several parts of the world.
“Today, we’re announcing a sophisticated, court-authorized operation disrupting a botnet of thousands of devices controlled by the Russian government—before it could do any harm. We removed malware from devices used by thousands of mostly small businesses for network security all over the world. And then we shut the door the Russians had used to get into them,” he stated.
In a separate news conference, Attorney General Merrick Garland announced the same operation for transparency.
“Fortunately, we were able to disrupt this botnet before it could be used. Thanks to our close work with international partners, we were able to detect the infection of thousands of network hardware devices. We were then able to disable the GRU’s control over those devices before the botnet could be weaponized.”
According to Wray, the malware known as “Cyclops Blink” was implanted on several thousand of WatchGuard Technologies’ Firebox devices and ASUSTek Computer Inc. (ASUS) devices. He explained that the Fireboxes were essentially firewalls typically used by small to medium-sized businesses to protect their computer systems and servers and that they were also common in home offices.
Sandworm would then combine these malware all together through their cyber technology and launch a series of orchestrated denial of service attacks. These distributed denial of service attacks, also known as DDoS attacks, are known in the cyber world as an attempt to disrupt a network’s normal traffic by overwhelming a system with internet traffic. In simple terms, it is like a traffic jam that prevents drivers from getting to their destination, preventing the person from becoming productive as they are stuck in traffic.
The botnet, comprised of individual bots, would send huge numbers of requests to the target’s IP address, leaving it overwhelmed so that the user cannot use its server or device. A DDoS is different from a denial-of-service (DoS) attack as DDoS utilizes multiple sources to launch the attack simultaneously, while a DoS attack would just come from one source. This is why a DDoS attacker is harder to pinpoint.
These DDoS attacks were reportedly used to attack Ukraine during the invasion and render its cyberinfrastructure useless. It was also allegedly used for the disruption of the Ukrainian electric grid in 2015 and to attack Georgia in 2019. Another malware named “wiper” was used against Ukrainian government cyber structures to render its government servers useless. It is also worth noting that on the day of the Russian invasion, hackers left Viasat, a European satellite system, offline, possibly to decrease the ability of Ukraine to communicate with one another. This attack also rendered communications in Europe to break down due to disrupted internet service.
Through a collaboration with WatchGuard, the FBI developed detection tools for the malware and removed the GRU’s ability to control the fireboxes. However, he warned that formerly infected devices could still be very vulnerable unless further security measures are adopted.
Despite explaining what the malware does, it remains unclear what its true intent was as a DDoS attack is quite common. A malware’s functions can range anywhere from surveillance to data erasure and even destruction of cyberinfrastructure.
According to an American official who spoke with The New York Times, the United States did not want to wait to find out what the malware and the botnets could do. Thus they obtained secret court orders to conduct the operation along with several law enforcement and intelligence agencies around the world, leading to the success of the operation. These court orders allowed the FBI to operate on domestic corporate networks to remove the malware. The New York Times reported that some removal operations were done without the company’s knowledge.
Senior Vice President for Intelligence at CrowdStrike Adam Meyers, who analyzed another Russian malware designed to delete data and cripple computer systems that attacked Ukrainian government servers, said that the cyberattacks were done to aid Russian military objectives. It was also reported that multiple cyberattacks have been plaguing Ukraine for the duration of the invasion.
These efforts to counter the botnet and malware were led by the FBI’s Pittsburgh, Atlanta, and Oklahoma City Field Offices, the FBI Cyber Division, the National Security Division’s Counterintelligence and Export Control Section, and the US Attorney’s Office for the Western District of Pennsylvania.
“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division said in a statement.
It can be surmised that these malware were the ones President Biden in mid-March had warned US private companies to stay wary of. He said that cyber attacks from Russia could possibly be conducted against US companies as those actions were part of “Russia’s playbook” and that it would be done in retaliation for the fiscal and economic sanctions the West had levied on them.
As someone who’s seen what happens when the truth is distorted, I know how unfair it feels when those who’ve sacrificed the most lose their voice. At SOFREP, our veteran journalists, who once fought for freedom, now fight to bring you unfiltered, real-world intel. But without your support, we risk losing this vital source of truth. By subscribing, you’re not just leveling the playing field—you’re standing with those who’ve already given so much, ensuring they continue to serve by delivering stories that matter. Every subscription means we can hire more veterans and keep their hard-earned knowledge in the fight. Don’t let their voices be silenced. Please consider subscribing now.
One team, one fight,
Brandon Webb former Navy SEAL, Bestselling Author and Editor-in-Chief
Barrett is the world leader in long-range, large-caliber, precision rifle design and manufacturing. Barrett products are used by civilians, sport shooters, law enforcement agencies, the United States military, and more than 75 State Department-approved countries around the world.
PO Box 1077 MURFREESBORO, Tennessee 37133 United States
Scrubba Wash Bag
Our ultra-portable washing machine makes your journey easier. This convenient, pocket-sized travel companion allows you to travel lighter while helping you save money, time and water.
Our roots in shooting sports started off back in 1996 with our founder and CEO, Josh Ungier. His love of airguns took hold of our company from day one and we became the first e-commerce retailer dedicated to airguns, optics, ammo, and accessories. Over the next 25 years, customers turned to us for our unmatched product selection, great advice, education, and continued support of the sport and airgun industry.
COMMENTS
There are on this article.
You must become a subscriber or login to view or post comments on this article.