{ "id": "be99e3b2-7cfd-40c2-928f-d94b229b4fa8", "created_at": "2026-04-07T12:03:56.983852Z", "updated_at": "2026-04-10T03:30:30.301393Z", "deleted_at": null, "sha1_hash": "90c9fecdf8bfee188161147ff94e806f11f93bee", "title": "Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57284, "plain_text": "Justice Department Announces Court-Authorized Disruption of\r\nBotnet Controlled by the Russian Federation’s Main Intelligence\r\nDirectorate (GRU)\r\nPublished: 2022-04-06 · Archived: 2026-04-07 11:53:22 UTC\r\nOperation Copied and Removed Malware Known as “Cyclops Blink” from the Botnet’s Command-And-Control\r\nDevices, Disrupting the GRU’s Control Over Thousands of Infected Devices Worldwide. Victims Must Take\r\nAdditional Steps to Remediate the Vulnerability and Prevent Malicious Actors From Further Exploiting\r\nUnpatched Devices.\r\nThe Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a\r\ntwo-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor\r\nknown to security researchers as Sandworm, which the U.S. government has previously attributed to the Main\r\nIntelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). The\r\noperation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used\r\nfor command and control (C2) of the underlying botnet. Although the operation did not involve access to the\r\nSandworm malware on the thousands of underlying victim devices worldwide, referred to as “bots,” the disabling\r\nof the C2 mechanism severed those bots from the Sandworm C2 devices’ control.\r\n“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s\r\ncommitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said Assistant Attorney\r\nGeneral Matthew G. Olsen of the Justice Department’s National Security Division. “By working closely with\r\nWatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and\r\nto develop detection and remediation tools, we are together showing the strength that public-private partnership\r\nbrings to our country’s cybersecurity. The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes.”\r\n“Through close collaboration with WatchGuard and our law enforcement partners, we identified, disrupted and\r\nexposed yet another example of the Russian GRU’s hacking of innocent victims in the United States and around\r\nthe world,” said U.S. Attorney Cindy K. Chung for the Western District of Pennsylvania. “Such activities are not\r\nonly criminal but also threaten the national security of the United States and its allies. My office remains\r\ncommitted to working with our partners in the National Security Division, the FBI, foreign law enforcement\r\nagencies and the private sector to defend and maintain our nation’s cybersecurity.” \r\n“This operation is an example of the FBI’s commitment to combatting cyber threats through  our unique\r\nauthorities, capabilities, and coordination with our partners,” said Assistant Director Bryan Vorndran of the FBI’s\r\nCyber Division. “As the lead domestic law enforcement and intelligence agency, we will continue pursuing cyber\r\nactors that threaten the national security and public safety of the American people, our private sector partners and\r\nour international partners.”\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation\r\nPage 1 of 4\n\n“The FBI prides itself on working closely with our law enforcement and private sector partners to expose\r\ncriminals who hide behind their computer and launch attacks that threaten Americans’ safety, security and\r\nconfidence in our digitally connected world,” said Special Agent in Charge Mike Nordwall of the FBI’s Pittsburgh\r\nField Office. “The FBI has an unwavering commitment to combat and disrupt Russia’s efforts to gain a foothold\r\ninside U.S. and allied networks.”\r\nOn Feb. 23, the United Kingdom’s National Cyber Security Centre, the Department of Homeland Security’s\r\nCybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency released\r\nan advisory identifying the Cyclops Blink malware, which targets network devices manufactured by WatchGuard\r\nTechnologies Inc. (WatchGuard) and ASUSTek Computer Inc. (ASUS). These network devices are often located\r\non the perimeter of a victim’s computer network, thereby providing Sandworm with the potential ability to\r\nconduct malicious activities against all computers within those networks. As explained in the advisory, the\r\nmalware appeared to have emerged as early as June 2019, and was the apparent successor to another Sandworm\r\nbotnet called VPNFilter, which the Department of Justice disrupted through a court-authorized operation in 2018.\r\nThe same day as the advisory, WatchGuard released detection and remediation tools\r\n for users of WatchGuard devices. The advisory and WatchGuard’s guidance both recommended that device\r\nowners deploy WatchGuard’s tools to remove any malware infection and patch their devices to the latest versions\r\nof available firmware. Later, ASUS released its own guidance\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation\r\nPage 2 of 4\n\nto help compromised ASUS device owners mitigate the threat posed by Cyclops Blink malware. The public and\r\nprivate sector efforts were effective, resulting in the successful remediation of thousands of compromised devices.\r\nHowever, by mid-March, a majority of the originally compromised devices remained infected.\r\nFollowing the initial court authorization on March 18, the department’s operation was successful in copying and\r\nremoving the malware from all remaining identified C2 devices. It also closed the external management ports that\r\nSandworm was using to access those C2 devices, as recommended in WatchGuard’s remediation guidance (a non-persistent change that the owner of an affected device can reverse through a device restart). These steps had the\r\nimmediate effect of preventing Sandworm from accessing these C2 devices, thereby disrupting Sandworm’s\r\ncontrol of the infected bot devices controlled by the remediated C2 devices. However, WatchGuard and ASUS\r\ndevices that acted as bots may remain vulnerable to Sandworm if device owners do not take the WatchGuard and\r\nASUS recommended detection and remediation steps. The department strongly encourages network defenders and\r\ndevice owners to review the Feb. 23 advisory and WatchGuard and ASUS releases.\r\nThe operation announced today leveraged direct communications with the Sandworm malware on the identified\r\nC2 devices and, other than collecting the underlying C2 devices’ serial numbers through an automated script and\r\ncopying the C2 malware, it did not search for or collect other information from the relevant victim networks.\r\nFurther, the operation did not involve any FBI communications with bot devices.\r\nSince prior to the Feb. 23 advisory, the FBI has been attempting to provide notice to owners of infected\r\nWatchGuard devices in the United States and, through foreign law enforcement partners, abroad. For those\r\ndomestic victims whose contact information was not publicly available, the FBI has contacted providers (such as a\r\nvictim’s internet service provider) and has asked those providers to provide notice to the victims.  As required by\r\nthe terms of the court authorization, the FBI has provided notice to the owners of the domestic C2 devices from\r\nwhich the FBI copied and removed the Cyclops Blink malware.\r\nThe efforts to disrupt the Cyclops Blink botnet were led by the FBI’s Pittsburgh, Atlanta and Oklahoma City Field\r\nOffices, the FBI Cyber Division, the National Security Division’s Counterintelligence and Export Control Section,\r\nand the U.S. Attorney’s Office for the Western District of Pennsylvania. Assistance was also provided by the\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation\r\nPage 3 of 4\n\nCriminal Division’s Computer Crime and Intellectual Property Section and Office of International Affairs, as well\r\nas the U.S. Attorney’s Office for the Eastern District of California.\r\nIf you believe you have a compromised device, please contact your local FBI Field Office for assistance. The FBI\r\ncontinues to conduct a thorough and methodical investigation into this cyber incident.\r\nSource: https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation" ], "report_names": [ "justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775563436, "ts_updated_at": 1775791830, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/90c9fecdf8bfee188161147ff94e806f11f93bee.pdf", "text": "https://archive.orkl.eu/90c9fecdf8bfee188161147ff94e806f11f93bee.txt", "img": "https://archive.orkl.eu/90c9fecdf8bfee188161147ff94e806f11f93bee.jpg" } }