US takes down Russian botnet, launches new cybersecurity bureau
Last week, the United States announced that it had taken action to preempt a Russian botnet attack. It also launched a new cybersecurity bureau. Both moves are part of a wider strategy to improve America’s security posture.
The FBI disrupts a botnet
On April 6, the U.S. Department of Justice (DOJ) issued a press release saying that it had successfully removed Russian botnet malware from infected devices.
According to the DOJ, the authorities carried out the operation with the approval of the courts. As a New York Times report explains:
The court orders allowed the FBI to go into domestic corporate networks and remove the malware, sometimes without the company’s knowledge.
The move is similar to the Bureau’s 2021 operation to mitigate the Microsoft Exchange Server breach. In that operation, the FBI accessed the servers of private companies without the owners’ knowledge.
The malware and the removal operation
The malware removed by the FBI is known as “Cyclops Blink”. Security analysts attribute it to Sandworm, a Russian military cyberwarfare unit.
Cyclops Blink is botnet malware: malware that sets up, spreads, and/or controls a botnet. A botnet is a network of infected devices controlled by bad actors and used for malicious purposes.
Cyclops Blink targeted network hardware devices — more specifically, firewall devices and routers made by the companies WatchGuard and Asus. Analysts say that the malware has already infected thousands of vulnerable devices worldwide.
The FBI kept the scope of its operation fairly limited. They only removed Cyclops Blink from the Command and Control (C&C) devices used by the botnet. Of course, that still leaves many devices infected with the malware (all of the ordinary “bots” in the botnet). But a botnet with disabled C&C nodes is a fairly useless botnet, since the remaining infected devices can’t receive commands or coordinate their actions.
The authorities warned that the infected devices are still potentially at risk:
WatchGuard and ASUS devices that acted as bots may remain vulnerable to Sandworm if device owners do not take the WatchGuard and ASUS recommended detection and remediation steps.
The future of U.S. cybersecurity
As last week’s FBI operation shows, the U.S. government appears to be taking a more proactive approach to cybersecurity.
Another example of this trend came at the beginning of the same week: The U.S. Department of State announced that the Bureau of Cyberspace and Digital Policy (CDP) had officially begun to operate.
The State Department says that the CDP will “address the national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy”.
Officials are hoping that the CDP will help the United States partner with its allies to combat shared cyberthreats. As an Engadget piece notes, the wider policy significance of the new bureau is that it “makes cybersecurity a more formal area of focus for US foreign policy”.