US disrupts large Russian botnet ‘before it could be used’

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (

The US has disrupted a large global botnet operated by Russia’s GRU military intelligence agency.

US Attorney General Merrick Garland made the announcement on Wednesday.

“Fortunately, we were able to disrupt this botnet before it could be used. Thanks to our close work with international partners, we were able to detect the infection of thousands of network hardware devices,” said Garland.

“We were then able to disable the GRU’s control over those devices before the botnet could be weaponised.”

Russia has launched a number of cyberattacks in recent months. On the day Russia invaded Ukraine, a cyberattack was launched targeting satellite operator Viasat. The cyberattack, which used malware linked to Russia, caused an outage that impacted thousands of customers not just in Ukraine but across Europe.

The cyberattack on Viasat spilt over and rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control. Had it hit something more critical, there could have been a serious escalation. NATO has been clear that a cyberattack on a member could trigger a collective response from the alliance.

Western countries have been preparing for a large-scale cyberattack from Russia in response to their support for Ukraine.

Additional sanctions announced by the US, UK, and EU this week in response to the evidence of Russian forces committing war crimes – such as rape, torture, and the execution of civilians, including women and children – have increased the likelihood of Russia using a cyberattack as revenge.

“This court-authorised removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.

“By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyse the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes.”

The operation disrupted a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the US government has previously attributed to GRU.

The malware itself was known as ‘Cyclops Blink’ which the UK’s National Cyber Security Centre, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, and the National Security Agency identified on 23 February 2022. Cyclops Blink is the apparent successor to another Sandworm-linked botnet known as VPNFilter.

“Through close collaboration with WatchGuard and our law enforcement partners, we identified, disrupted and exposed yet another example of the Russian GRU’s hacking of innocent victims in the United States and around the world,” commented US Attorney Cindy K. Chung for the Western District of Pennsylvania.

“Such activities are not only criminal but also threaten the national security of the United States and its allies. My office remains committed to working with our partners in the National Security Division, the FBI, foreign law enforcement agencies, and the private sector to defend and maintain our nation’s cybersecurity.” 

A huge effort from both public and private entities was launched to disrupt the botnet; including the release of tools for removing the malware and updating the firmware of affected devices to their latest versions. However, a majority of the compromised devices were still infected by mid-March.

Following the court authorisation on 18 March 2022, the operation was successful in copying and then removing the malware from all identified devices. As an additional safeguard, the external management ports used by Sandstorm to access the devices were also closed.

“The FBI prides itself on working closely with our law enforcement and private sector partners to expose criminals who hide behind their computer and launch attacks that threaten Americans’ safety, security, and confidence in our digitally-connected world,” said Mike Nordwall of the FBI’s Pittsburgh Field Office.

“The FBI has an unwavering commitment to combat and disrupt Russia’s efforts to gain a foothold inside US and allied networks.”

The disruption of the botnet by US authorities will hamper Russia’s ability to carry out large-scale attacks that could have a major impact on Western economies. However, it’s still worth being extra vigilant in this climate of increased cybersecurity risks.

(Image: Attorney General Merrick Garland by US Department of Justice)

Related: DDoS attacks ‘became larger and more complex’ in 2021

Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo. The next events in the series will be held in Santa Clara on 11-12 May 2022, Amsterdam on 20-21 September 2022, and London on 1-2 December 2022.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *