Apr 07, 2022 12:00:00

FBI announces remote access to network devices around the world to remove Russian malware

The Federal Bureau of Investigation (FBI) has announced that it has removed malware by remotely accessing ASUS and WatchGuard network devices infected with Russian malware. The FBI is asking device administrators to take appropriate action, saying that removal alone is not enough.

Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation's Main Intelligence Directorate (GRU) | OPA | Department of Justice

https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation

Companies were slow to remove Russian spies' malware, so FBI did it for them | Ars Technica
https://arstechnica.com/information-technology/2022/04/fbi-accesses-us-servers-to-dismantle-botnet-malware-installed-by-russian-spies/

This time, the FBI reported the removal of the botnet malware ' Cyclops Blink ' used by the hacker group Sandworm , which is said to belong to the technical team of the General Information Bureau (GRU) of the Russian Federation Army Chief of Staff. The existence of this Cyclops Blink was confirmed around June 2019, and in February 2022 it was reported that it affected about 1% of WatchGuard firewall appliances used all over the world. I did.

UK and US identify and warn Russia-backed hacking group's new botnet malware 'Cyclops Blink'-GIGAZINE

In response to the above report, WatchGuard has released a method for detecting and deleting Cyclops Blink in collaboration with investigative agencies such as the FBI. In addition, ASUS, which found that the network equipment it sells was affected by Cyclops Blink, also released a response method similar to WatchGuard.

According to the FBI, Cyclops Blink was removed from thousands of devices by WatchGuard and ASUS's release of how to deal with it, but as of March 2022, most devices remained infected with Cyclops Blink. So, with the approval of the court, the FBI remotely accessed 'thousands of network devices infected with Cyclops Blink around the world' and removed Cyclops Blink.

The FBI said, 'In this operation, we used automated scripts to'collect device serial numbers'and'remove malware',' stressing that we did not access information that was not necessary for the operation. .. However, technology-related media Ars Technica said, 'There is also concern that the FBI's remote access to the server and some operations could lead to serious damage and privacy invasion due to operational mistakes.' Regarding these concerns, Jake Williams, a former National Security Agency (NSA) employee and now executive director of security firm SCYTHE, said, 'I have access to a server that is not under the control of law enforcement agencies. We consider it dangerous to implement the fix, but in this case the benefits clearly outweighed the risks. '' The fact that the FBI worked with a private company like WatchGuard in this action is It's especially important. '

In addition, the FBI said, 'Unless the countermeasures shown by WatchGuard and ASUS are implemented, it will continue to be vulnerable to attacks,' and is requesting the administrator of network equipment to take countermeasures. increase.