New Sandworm malware Cyclops Blink replaces VPNFilter
The UK National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) in the US have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to here as Cyclops Blink. The NCSC, CISA, FBI and NSA have previously attributed the Sandworm actor to the Russian GRU’s Main Centre for Special Technologies GTsST.
The malicious cyber activity below has previously been attributed to Sandworm:
- The BlackEnergy disruption of Ukrainian electricity in 2015
- Industroyer in 2016
- NotPetya in 2017
- Attacks against the Winter Olympics and Paralympics in 2018
- A series of disruptive attacks against Georgia in 2019
Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network attached storage (NAS) devices.
This advisory summarises the VPNFilter malware it replaces, and provides more detail on Cyclops Blink, as well as the associated tactics, techniques and procedures (TTPs) used by Sandworm. An NCSC malware analysis report on Cyclops Blink is also available and can be read in parallel.
It also points to mitigation measures to help organisations that may be affected by this malware.
Original Source: ncsc[.]gov[.]uk
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.
