DOJ Disrupts Botnet Run by Russian State-Backed Hacking Group Sandworm
Yuichiro Chino/Getty Images
A slew of federal officials from the U.S. and U.K. removed malware from among thousands of infected devices, disrupting a global botnet.
The U.S. Department of Justice revealed that its officials conducted a targeted operation against a global botnet consisting of thousands of infected devices that were previously under the control of a Russian government-linked hacking operator called Sandworm.
In March, Justice conducted a court-authorized operation to dismantle the malware from various infected hardware used by Sandworm for command and control. Officials note that while they copied and removed Sandworm bots from just some victim devices out of the thousands of infected machines, this was effective in interrupting the centralized botnet.
“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said Assistant Attorney General Matthew Olsen.
Justice officials worked in tandem with officials from the Federal Bureau of Investigation, government agencies in the United Kingdom, as well as alongside firewall software company WatchGuard. Devices using WatchGuard’s technology were reportedly targeted by Sandworm malware called Cyclops Blink. The National Security Agency released a formal advisory on the malicious software in February.
“By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity,” Olsen continued. “The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes.”
The formal court authorization came on March 18, and officials working within the operation targeted infected devices that were being used for more central command and control activities by Sandworm.
Some of the formerly infected devices remain vulnerable to Sandworm malware if device owners do not properly mitigate threats as recommended by government agencies and WatchGuard.
“This operation is an example of the FBI’s commitment to combatting cyber threats through our unique authorities, capabilities and coordination with our partners,” Bryan Vorndran, the assistant director of the FBI’s Cyber Division said. “As the lead domestic law enforcement and intelligence agency, we will continue pursuing cyber actors that threaten the national security and public safety of the American people, our private sector partners and our international partners.”
Law enforcement has taken stringent measures to amplify national cybersecurity amid Russia’s continued invasion of Ukraine.