Cyclops Blink – A Destructive Cyber Malware That Can Jeopardise National Security

U.S. and UK governments have confirmed the discovery of Cyclops Blink, a new cyber malware that can compromise network devices such as small office/home office (SOHO) routers and network-attached storage devices (NAS). This cyber weapon is capable of hacking into a nation’s cyber security programs, stealing classified information, and causing destruction. 

This malware can destabilize economies and put national security at risk. According to the detailed report jointly published by both government agencies on Wednesday, Cyclops Blink was developed by Russia’s military cyber unit. It is an upgrade on the earlier VPNFilter code malware and has been deployed in the wild since 2019. Its deployment could allow Sandworm, which is a cyber warfare unit of Russia’s military intelligence service, to access networks and cause trouble remotely.

A possible role in the invasion of Ukraine

This special report about the discovery of this potential cyberweapon malware came hours before Russian forces began their invasion of Ukraine on Wednesday.

The report claims that Russian state-sponsored cybercriminals have constantly caused cyber intrusion into many U.S Cleared Defense Contractors’ (CDC) networks for the last two years and have stolen sensitive, unclassified information along with proprietary and export-controlled technology. An initial alert highlighting this cyber encroachment was issued on February 16th by The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA). 

Identifying Cyclops Blink infection

The cyber security analysis also offers recommendations to detect a Cyclops Blink infection and mitigate its risks. This malware targets the Executable and Linkable Format (ELF), manipulates the Linux API to download malevolent files, carries out attacks, and maintains persistence on victim networks.

Although the report observed that the malware played a role in weakening the Ukrainian cyber security systems, cyber security experts from the firm Digital Shadows feel that there is poor evidence to linking the Cyclops Blink malware to the recent Ukrainian DDoS attacks. 

In an interview with TechNewsWorld, the firm’s Chief Information Security Officer Rick Holland opined, “However, compromising routers provide the Russians with a useful DDoS tool to distract and disrupt their adversaries while also providing a level of plausible deniability. Russia has used botnets in the past; in 2018, the FBI took a botnet associated with the VPNFilter malware offline.” 

Connecting the dots

The joint advisory identified Sandworm, also known as Voodoo Bear, as the hacker actor. Sandworm is the Russian military’s intelligence agency or GRU’s Main Centre for Special Technologies GTsST. This team is believed to carry destructive and costly cyber security attacks on the defense systems of countries by deploying malware like Cyclops Blink and VPNFilter.

Rick Holland also observes that Russia’s invasion of Ukraine is not as unrehearsed as their leaders are trying to portray but was planned years in advance by first weakening the Ukrainian defense systems using malware.

Holland further states, “Disinformation, false flags, DDoS attacks, and destructive wiper malware are a part of Russian military doctrine. The battle plans have been drawn up and are now being executed.

Cyber security firm Coalfire’s Vice President John Dickson also backed Holland’s claim, pointing out that Russia’s modus operandi of invading Ukraine is similar to the one when they invaded Crimea in 2014 by carrying out cyber attacks before military engagement. In an interview with TechNewsWorld, he suggests,  “I would bet a million rubles this is from our friends in Moscow. They are likely trying to soften the target by disrupting Ukrainian command, control, and communications before any broader invasion of Ukraine.” Hence, it is highly likely that the cyber attacks caused by Cyclops Blink malware can be traced back to Russia. 

Cybersecurity Details

On Cyclops Blink, a detailed NCSC malware analysis report is available here. This report covers the analysis of two samples recently taken into possession by the FBI from WatchGuard Firebox devices known to have been incorporated into the botnet.

The examination of the report identifies Cyclops Blink as a harmful Linux Executable and Linkable Format, tailor-made for 32-bit PowerPC (big-endian) architecture. It further reveals that NCSC, FBI, CISA, and NSA are of the conclusion that this malware is linked with a large-scale botnet that targets Small Office/Home Office (SOHO) network devices and has been active since at least June 2019.

The report also outlines some understandings concerning the workings of the malware. The samples load into memory as two program segments. With read/execute permissions, the first segment holds the Linux ELF header and the malware’s executable code. The second segment, with read/write permissions, contains the data, including victim-specific information, used by the malware.

Risk of potential fallout

Digital Shadow’s Holland observes that Russia will react strongly to the new economic and other sanctions that will be imposed by the U.S. and other Western countries. He warns, “Based on Russian Foreign Affairs Ministry statements issued yesterday (Feb. 23) around a strong and painful response, critical U.S. and Western infrastructure could be targeted soon, including energy and finance.”

Coalfire’s Vice President Dickson recommends the following four-step security check against cyber security threats and warnings. 

  1. Brainstorm potential disruption scenarios, e.g., international travel or GPS disruption, and craft response plans.
  2. Conduct a tailored tabletop exercise to a regional conflict scenario. Unite important corporate leaders to help identify gaps and additional risks associated.
  3. Look out and protect key staff who may have been impacted by disruption associated with a widening conflict in the Ukrainian area.
  4. Secure external security resources (more humans) when your workflows increase exponentially.

Work Culture & Discipline

The report concludes with the observation that Cyclops Blink’s modular design approach is a highly advanced and professionally developed one. Further analysis of the malware samples revealed that they were probably developed from a common code base and the developers ensured that the command and control communications were extremely difficult to detect or track by anyone.

The developers reverse-engineered the WatchGuard Firebox firmware update, highlighting a vulnerability in its process. Specifically, they exploited the weakness in calculating hash-based message authentication code (HMAC) during the firmware update, ensuring the persistence of Cyclops Blink during the legitimate firmware update process. 

Since Cyclops Blink has read/write access to the device filesystem, it enables legitimate files to be replaced with modified versions such as install_upgrade. Even if the cyber experts can fix a specific weakness, the developers have made the malware capable of deploying new hacking tactics to maintain the persistence of Cyclops Blink. 

The above factors, combined with the professional development approach, lead the NCSC to conclude that Cyclops Blink is a highly sophisticated malware and a potential cyber weapon. 

Apart from the 32-bit PowerPC (big-endian) architecture, the WatchGuard devices cover a wide range of architecture, which are also likely to be targeted by this malware. It is therefore recommended that users follow the WatchGuard mitigation advice for all relevant devices.

Cyber Security in India

With so much going on all around the world, the tech and cyber security in India are also evolving at a rapid pace. With a robust increase in cyber security awareness, the usage of cyber security tools and cyber security applications is also increasing to combat the ever-high vulnerability in cyber security. With the cyber security news highlighted above, it is sure that cyber security topics are on the headlines, and by highlighting various types of cyber security threats, more and more people/organizations are adopting cyber security risk management and implementing cyber security policies.

The risk in cyber security is increasing every minute and so is the scope of cyber security, leading to a cyber security shortage in the nation. One can avail various advantages of cyber security by getting all cyber security information through a cyber security training program, where they would teach you all about cyber security, right from the cyber security basics to cyber security fundamentals and cyber security management. You will learn how to mitigate cyber security risk by using cyber security software. 

You can also opt to partner with top cyber security companies in India who will help you avail all the benefits of cyber security as they offer specialized cyber security services. They will help you meet cyber security standards by using various cyber security concepts from a huge pool of cyber security tool lists. Check for cyber security near me to get the best cyber security solutions and secure you and your loved ones today.

Leave a Reply