The Sandworm actor has replaced the exposed VPNFilter malware with a new more advanced framework.
The UK National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) in the US have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to here as Cyclops Blink. The NCSC, CISA, FBI and NSA have previously attributed the Sandworm actor to the Russian GRU’s Main Centre for Special Technologies GTsST.
The malicious cyber activity below has previously been attributed to Sandworm:
Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network attached storage (NAS) devices.
This advisory summarises the VPNFilter malware it replaces, and provides more detail on Cyclops Blink, as well as the associated tactics, techniques and procedures (TTPs) used by Sandworm. An
NCSC malware analysis report on Cyclops Blink is also available and can be read in parallel.
It also points to mitigation measures to help organisations that may be affected by this malware.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
