US and UK Warn of VPNFilter Successor “Cyclops Blink”

UK government security experts are warning of a sophisticated Russian malware campaign that has lain hidden for over two years.

Dubbed “Cyclops Blink” by the National Cyber Security Centre (NCSC), it is the likely successor to the infamous VPNFilter malware, traced to the Sandworm group.

This actor is thought to be part of the Russian GRU’s Main Centre for Special Technologies (GTsST) and has been linked to the destructive BlackEnergy campaign that targeted Ukrainian power plants in 2015, as well as the infamous NotPetya campaign of 2017, Industroyer, and disruptive attacks against Georgia and the 2018 Winter Olympics.

After VPNFilter was exposed in 2018, the group set about creating a new version, said the NCSC.

It’s designed to infect network devices – mainly small office/home office (SOHO) routers, and network attached storage (NAS) devices – and steal data and/or use them as a launchpad for further attacks.

“The malware itself is sophisticated and modular with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required,” the report revealed.

“Post exploitation, Cyclops Blink is generally deployed as part of a firmware ‘update.’ This achieves persistence when the device is rebooted and makes remediation harder.”

The NCSC claimed deployment of the malware had so far been “indiscriminate and widespread,” with WatchGuard devices mainly targeted, although this could certainly change in the future.

Organizations that find evidence of infection may not be intended as the primary target but merely a staging post from which to launch attacks on Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *