Cyclops Blink

Malware updated 2 days ago (2024-11-21T10:31:35.877Z)

Download STIX

Preview STIX

Cyclops Blink, a modular malware first identified in 2019, was designed to target network infrastructure. It was often referred to as the "Son of VPNFilter" due to its similarities with that campaign. The malware was specifically engineered to run on Linux systems, particularly those using the 32-bit PowerPC architecture. This malicious software was used predominantly for espionage and financial gain by creating proxy botnets that helped mask the origin of its illicit activities. In 2022, Cyclops Blink was found to be targeting Watchguard firewalls and ASUS routers, with attribution linked to the Russian Sandworm threat group. The malware was part of dedicated botnets, including Sandworm's own, which consisted of compromised Watchguard and ASUS routers. These botnets were subsequently disrupted by the FBI and the UK National Cyber Security Centre (NCSC). The malware was also implicated in attacks against Ukraine, where it was used alongside other botnets like VPNFilter. Following these disruptions, the malware was observed to shift tactics. After the dismantling of the Cyclops Blink botnet, the associated IP address was found to have been used in attacks against Danish energy firms in May, exploiting a vulnerability in Zyxel firewalls. These attacks were linked to the Katana Mirai botnet. The Department of Justice (DOJ) managed to take down the Russian GRU-backed botnet Cyclops Blink in April, marking a significant step in curtailing its activities. Despite these successes, the persistent use of routers for launching attacks by nation-state hackers continues to pose a serious cybersecurity concern.

Description last updated: 2024-11-21T10:30:29.545Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Botnet

Cybercrime

Apt

Fbi

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Sandworm Threat Actor is associated with Cyclops Blink. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c	Unspecified	3

Source Document References

Information about the Cyclops Blink Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 days ago	'Water Barghest' Sells Hijacked IoT Devices for Proxy Botnet Misuse
Trend Micro	7 months ago	Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
CERT-EU	9 months ago	DOJ Dismantles Russian Botnet Responsible for Hacking Millions of Connected Devices
CERT-EU	9 months ago	The 3 most common post-compromise tactics on network infrastructure
CERT-EU	9 months ago	Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28's MooBot Threat \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	Report: Sandworm hackers unlikely involved in Denmark cyberattacks
CERT-EU	10 months ago	Sandworm probably wasn’t behind Danish critical infrastructure cyberattack, report says
CERT-EU	10 months ago	Infographic: A History of Network Device Threats and What Lies Ahead
CERT-EU	10 months ago	Infographic: A History of Network Device Threats and What Lies Ahead \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	AWS’ MadPot Honeypot Operation Corrals Threat Actors
CERT-EU	a year ago	AWS security exec talks secret threat intel tool MadPot
CERT-EU	a year ago	FBI director urges private sector to work with the agency on cyber threats
InfoSecurity-magazine	a year ago	#mWISE: FBI Director Urges Greater Private-Public Collaboration
CERT-EU	a year ago	DOJ Launches Cyber Unit to Prosecute Nation-State Threat Actors
CSO Online	2 years ago	Attacks on industrial infrastructure on the rise, defenses struggle to keep up
CERT-EU	2 years ago	資料破壞軟體
Securityaffairs	2 years ago	Microsoft sheds light on a year of Russian hybrid warfare in Ukraine
CERT-EU	2 years ago	路由器
CERT-EU	2 years ago	How the US Government is Fighting Back Against Ransomware \| #ransomware \| #cybercrime – National Cyber Security Consulting
CERT-EU	2 years ago	To combat cybercrime, US law enforcement increasingly prioritizes disruption