Gandalf_The_Grey
Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 6,593
The Sandworm actor has replaced the exposed VPNFilter malware with a new more advanced framework.
The UK National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) in the US have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to here as Cyclops Blink. The NCSC, CISA, FBI and NSA have previously attributed the Sandworm actor to the Russian GRU’s Main Centre for Special Technologies GTsST.
The malicious cyber activity below has previously been attributed to Sandworm:
Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network attached storage (NAS) devices.
- The BlackEnergy disruption of Ukrainian electricity in 2015
- Industroyer in 2016
- NotPetya in 2017
- Attacks against the Winter Olympics and Paralympics in 2018
- A series of disruptive attacks against Georgia in 2019
This advisory summarises the VPNFilter malware it replaces, and provides more detail on Cyclops Blink, as well as the associated tactics, techniques and procedures (TTPs) used by Sandworm. An NCSC malware analysis report on Cyclops Blink is also available and can be read in parallel.
It also points to mitigation measures to help organisations that may be affected by this malware.