Security News > 2022 > February > US, UK link new Cyclops Blink malware to Russian state hackers

New malware dubbed Cyclops Blink has been linked to the Russian-backed Sandworm hacking group in a joint security advisory published today by US and UK cybersecurity and law enforcement agencies.

"The malware dubbed Cyclops Blink appears to be a replacement for the VPNFilter malware exposed in 2018, and its deployment could allow Sandworm to remotely access networks," the UK National Cyber Security Centre said today.

"Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC architecture. NCSC, FBI, CISA, NSA and industry analysis has associated it with a large-scale botnet targeting Small Office/Home Office network devices," the UK NCSC said in a malware analysis report also published today.

Cyclops Blink uses infected devices' legitimate firmware update channels to maintain access to compromised systems by injecting malicious code and repacking the modified firmware images.

"They have taken advantage of this weakness to enable them to maintain the persistence of Cyclops Blink throughout the legitimate firmware update process."

Additional information on Sandworm's Cyclops Blink malware, including indicators of compromise, and Yara rules and signatures, are available at the end of NCSC's malware analysis report [PDF].

News URL

https://www.bleepingcomputer.com/news/security/us-uk-link-new-cyclops-blink-malware-to-russian-state-hackers/