Infamous Hacker Group Attacked Ukraine Just Before Russian Invasion

Authorities in the U.S. and United Kingdom said the Russian hacker group behind a 2018 attack that infected 500,000 routers across the world was involved in a separate attack against Ukraine, just before Russia itself invaded that country in 2022.

The group, known as Sandworm, was identified by both the National Security Agency (NSA) and Federal Bureau of Investigations (FBI) as well as two UK agencies in the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Centre (NCSC), which warned about new malware. As the tech news site Wired summarized:

The new malware, which the agencies call Cyclops Blink, has been found in firewall devices sold by networking hardware company Watchguard since at least June 2019. But the NCSC warns that “it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware,” that it may have already infected other common network routers used in homes and businesses, and that the malware’s “deployment also appears indiscriminate and widespread.”

The agencies involved did point out that the attack was not thought to be directly part of the Russian invasion of Ukraine that began on February 24 2022. It is, however, the latest in a series of malware attacks against Ukrainian networks and devices carried out by Sandworm, known within the Russian intelligence agency the GRU as “Unit 74455.”

Analysts found that Cyclops Blink, which was capable of lingering inside infected devices even if users rebooted them, was a successor to “VPNFilter,” a separate piece of malware that Sandworm used to hit an estimated half a million devices worldwide in May 2018. Cisco’s security group Talos noted at the time that this attack was “actively infecting Ukrainian hosts at an alarming rate.”

Wired also reported that VPNFilter was similar in some respects to yet another Sandworm attack in 2015 which led to mass electrical blackouts in Ukraine. The group committed a similar attack a year later against the capital city of Kyiv, and another one in 2017 that caused a reported $10 billion in damages.

After seizing control of part of the network responsible for VPNFilter in 2018, the FBI urged Americans to reboot and reset their routers to mitigate possible damage. As the Washington Post reported at the time:

But resetting the router sets this complicated malware back to Stage One, said Ashley Stephenson of Corero Network Security. In its first stage, VPN Filter establishes a presence in a router, but it needs to talk to another part of the network to download the second stage of the attack.

Now that the FBI has control over part of the network, routers trying to enter that second stage will send information to the agency instead of hackers, Stephenson said.

The U.S. Department of Justice indicted six members of Sandworm in October 2020:

Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin, as well as Anatoliy Sergeyevich Kovalev, who was previously indicted two years ago for his allegedly role into hacking US States’ Boards of Election in 2016.

The 2022 cyberattacks against Ukraine have targeted the country’s government and its banking industry. Security expert Rick Holland told The Guardian that this latest attack fit the pattern of Russian attacks “providing a level of plausible deniability.”

“Russia didn’t just decide to invade Ukraine this week,” said Holland, who heads information security for the firm Digital Shadows. “Military planners have prepared for this campaign years in advance. Disinformation, false flags, DDoS attacks, and destructive wiper malware are a part of Russian military doctrine; the battle plans have been drawn up and are now being executed.”

Update 3/8/2022, 2:00 p.m. PST: This article has been revamped and updated. You can review the original here. -ag