The FBI’s successful pre-emptive strike that stopped a Russian-government-backed botnet aimed at taking down SMB and home-office networks is a landmark moment in the battle to protect Main Street from foreign cybersecurity attacks, said MSPs.
“This is an awesome moment for MSPs,” said David Stinner, president of Buffalo, N.Y.-based MSP US itek, reacting to the FBI operation. “The U.S. government just launched a pre-emptive strike against Russian hackers that benefits MSPs everywhere. It is fantastic to know that the FBI is protecting us with this kind of cyber warfare. Kinetic war is the war of the past. Cyber warfare is the war of the future. I am ecstatic that we have the U.S. government protecting us from these kind of attacks.”
[RELATED: Intel Suspending All Operations In Russia And Belarus]
Stinner’s comments came after the FBI revealed that it had proactively removed malware from devices used by thousands of companies—mostly small businesses—using WatchGuard devices, primarily firewalls.
FBI Director Christopher Wray said the sophisticated, court-authorized operation disrupted a “botnet of thousands of devices controlled by the Russian government—before it could do any harm.”
The FBI removed the malware and then “shut the door the Russians had used to get into them,” said Wray, according to a transcript of remarks given at a press conference Wednesday. He said the botnet that was disrupted was built by the GRU—the Russian government’s military intelligence agency. Specifically, he singled out the GRU’s Sandworm team.
The Sandworm team had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies’ Firebox devices: mainly firewalls, that are typically deployed in home-office environments and in small to midsize businesses, said Wray.
The FBI worked closely with WatchGuard to “analyze the malware and develop detection tools and remediation techniques over the past several weeks,” said Wray.
“Our operation removed Russia’s ability to control these Firebox devices on the botnet network, and then copied and removed malware from the infected devices,” he said.
Wray cautioned that any Firebox devices that acted as bots “may still remain vulnerable in the future” until mitigated by users. “Those owners should still go ahead and adopt WatchGuard’s recommended detection and remediation steps as soon as possible,” he said.
Stinner said he believes an emergency out-of-band patch from his firewall vendor—which he would not name for fear of inciting an attack—may have been related to the FBI operation. “We have never seen this kind of urgency from a firewall vendor,” he said.
Stinner’s message to fellow MSPs: “You need to be on top of your firewall vendor’s notifications and heed any urgent updates immediately. You need to make sure you can instantly patch all your firewalls from a single pane of glass with one click rather than locking them down one by one.”
The FBI operation marks the beginning of a new era in the continuing battle MSPs are waging to protect SMBs and themselves from all kinds of attacks, including nation-state attacks, said Stinner.
“Big businesses have invested heavily in cybersecurity, and their defenses are high,” he said. “They are harder to attack. This was an attempt by Russia to inflict maximum chaos in the United States economy by taking down small businesses. This could potentially have impacted millions of small businesses. The Russian government was looking to take down Main Street, and they targeted WatchGuard devices. If Russia was successful, this could have caused mass pandemonium.”
Michael Goldstein, president and CEO of Fort Lauderdale, Fla.-based MSP LAN Infotech, applauded the FBI for working closely with WatchGuard to take “action” to prevent what could have been a devastating attack.
“It looks like the firewalls were there, [and they were] planting malware that were botnets that were going out and reporting back [to the hackers],” he said.
Goldstein said he sees the close cooperation between the FBI and Watchguard as the “start of bigger things” in the continuing battle to protect businesses.
WatchGuard said it was notified on Nov. 30, 2021, by the FBI and the UK National Cyber Security Centre about their ongoing international investigation regarding Cyclops Blink.
A WatchGuard spokesperson said the company played an “important role” in eliminating the threat posed by Cyclops Blink with the “rapid release of detection and remediation tools to protect its partners and customers” following the government disclosure of the malware. “The company’s close collaboration with its partner and customer communities was instrumental to mitigating this sophisticated state-sponsored threat, which affected less than 1 percent of WatchGuard appliances,” said the spokesperson.
WatchGuard had issued Cyclops Blink detection tools and what it called a “4 Step Cyclops Blink Diagnosis and Remediation Plan” on Feb. 23 to help partners and customers diagnose and remediate the threat.
Besides WatchGuard, Asus—which has sizable home Wi-Fi router market share—issued security advisories with software updates related to Cyclops Blink for its home Wi-Fi routers. CRN reached out to Asus but had not heard back at press time.
Mike Turicchi, vice president of Gainesville, Va.-based NCS Technologies, said the FBI’s ability to intervene to protect MSPs and their customers is impressive. “The fact that the FBI can secretly access devices and reconfigure them remotely without a trace is both reassuring and scary,” he said. “I am very impressed to know the FBI is this good. It also makes me wonder if our adversaries have the same capabilities. Sounds like a Tom Clancy book in the making.”
C.J Fairfield and Jay Fitzgerald contributed to this story.