This GRU team, Sandworm, had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies’ Firebox devices—these are security appliances, mainly firewalls, that are typically deployed in home office environments and in small to mid-size businesses.
Sandworm strung them together to use their computing power in a way that would obfuscate who was really running the network and let them then launch malware or to orchestrate distributed denial of service attacks like the GRU has already used to attack Ukraine. I should note here, that the GRU’s Sandworm team has a long history of outrageous, destructive attacks: The disruption of the Ukrainian electric grid in 2015, attacks against the Winter Olympics and the Paralympics in 2018, a series of disruptive attacks against the nation of Georgia in 2019, and, in 2017, the NotPetya attack that devastated Ukraine but also ended up hitting systems here in the U.S., throughout Europe, and elsewhere, causing more than 10 billion dollars in damages—one of the most damaging cyberattacks in the history of cyberattacks.
With the court-authorized operations we’re announcing today, we’ve disrupted this botnet before it could be used. We were largely able to do that because we had close cooperation with WatchGuard.
We’ve worked closely with WatchGuard to analyze the malware and develop detection tools and remediation techniques over the past several weeks. And our operation removed Russia’s ability to control these Firebox devices on the botnet network, and then copied and removed malware from the infected devices. Now I should caution that as we move forward, any Firebox devices that acted as bots may still remain vulnerable in the future until mitigated by their owners, so those owners should still go ahead and adopt WatchGuard’s recommended detection and remediation steps as soon as possible.
We’re continuing to conduct a thorough and methodical investigation, but as we’ve shown, we are not going to wait for our investigations to end to act. We are going to act as soon as we can, with whatever partners are best situated to help, to protect the public.
This announcement today shows the value of the FBI’s technical expertise and unique authorities—both as a law enforcement agency and an intelligence service. And that unique combination, both of which were essential to the success of this operation.
It also shows what we can accomplish with our partners to help companies—like the thousands of mostly small business affected by this botnet—hit by threats like these posed by the Russian government.