The United States announced last Wednesday that it had secretly removed a Russian malware from devices targeting thousands of small to medium businesses around the world. This news was announced by both the Federal Bureau of Investigation (FBI) Director Christopher Wray and Attorney General Merrick Garland. This is another development of Russian warfare, not just in Ukraine but also in the digital realm anywhere in the world.
FBI Director Christopher Wray announced the move, saying that it had conducted a sophisticated, court-authorized operation disrupting a “botnet” created by the Russian government’s intelligence agency, the GRU, specifically the GRU’s Sandworm Team. The botnet had allegedly infiltrated thousands of devices in several parts of the world.
“Today, we’re announcing a sophisticated, court-authorized operation disrupting a botnet of thousands of devices controlled by the Russian government—before it could do any harm. We removed malware from devices used by thousands of mostly small businesses for network security all over the world. And then we shut the door the Russians had used to get into them,” he stated.
In a separate news conference, Attorney General Merrick Garland announced the same operation for transparency.
“Fortunately, we were able to disrupt this botnet before it could be used. Thanks to our close work with international partners, we were able to detect the infection of thousands of network hardware devices. We were then able to disable the GRU’s control over those devices before the botnet could be weaponized.”
According to Wray, the malware known as “Cyclops Blink” was implanted on several thousand of WatchGuard Technologies’ Firebox devices and ASUSTek Computer Inc. (ASUS) devices. He explained that the Fireboxes were essentially firewalls typically used by small to medium-sized businesses to protect their computer systems and servers and that they were also common in home offices.
Sandworm would then combine these malware all together through their cyber technology and launch a series of orchestrated denial of service attacks. These distributed denial of service attacks, also known as DDoS attacks, are known in the cyber world as an attempt to disrupt a network’s normal traffic by overwhelming a system with internet traffic. In simple terms, it is like a traffic jam that prevents drivers from getting to their destination, preventing the person from becoming productive as they are stuck in traffic.
The botnet, comprised of individual bots, would send huge numbers of requests to the target’s IP address, leaving it overwhelmed so that the user cannot use its server or device. A DDoS is different from a denial-of-service (DoS) attack as DDoS utilizes multiple sources to launch the attack simultaneously, while a DoS attack would just come from one source. This is why a DDoS attacker is harder to pinpoint.
These DDoS attacks were reportedly used to attack Ukraine during the invasion and render its cyberinfrastructure useless. It was also allegedly used for the disruption of the Ukrainian electric grid in 2015 and to attack Georgia in 2019. Another malware named “wiper” was used against Ukrainian government cyber structures to render its government servers useless. It is also worth noting that on the day of the Russian invasion, hackers left Viasat, a European satellite system, offline, possibly to decrease the ability of Ukraine to communicate with one another. This attack also rendered communications in Europe to break down due to disrupted internet service.
Through a collaboration with WatchGuard, the FBI developed detection tools for the malware and removed the GRU’s ability to control the fireboxes. However, he warned that formerly infected devices could still be very vulnerable unless further security measures are adopted.
Despite explaining what the malware does, it remains unclear what its true intent was as a DDoS attack is quite common. A malware’s functions can range anywhere from surveillance to data erasure and even destruction of cyberinfrastructure.
According to an American official who spoke with The New York Times, the United States did not want to wait to find out what the malware and the botnets could do. Thus they obtained secret court orders to conduct the operation along with several law enforcement and intelligence agencies around the world, leading to the success of the operation. These court orders allowed the FBI to operate on domestic corporate networks to remove the malware. The New York Times reported that some removal operations were done without the company’s knowledge.
Senior Vice President for Intelligence at CrowdStrike Adam Meyers, who analyzed another Russian malware designed to delete data and cripple computer systems that attacked Ukrainian government servers, said that the cyberattacks were done to aid Russian military objectives. It was also reported that multiple cyberattacks have been plaguing Ukraine for the duration of the invasion.
These efforts to counter the botnet and malware were led by the FBI’s Pittsburgh, Atlanta, and Oklahoma City Field Offices, the FBI Cyber Division, the National Security Division’s Counterintelligence and Export Control Section, and the US Attorney’s Office for the Western District of Pennsylvania.
“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division said in a statement.
It can be surmised that these malware were the ones President Biden in mid-March had warned US private companies to stay wary of. He said that cyber attacks from Russia could possibly be conducted against US companies as those actions were part of “Russia’s playbook” and that it would be done in retaliation for the fiscal and economic sanctions the West had levied on them.