US Disrupts Russian Botnet

The Justice Department announced the disruption of a Russian GRU-controlled botnet:

The Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the U.S. government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as “bots,” the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control.

The botnet “targets network devices manufactured by WatchGuard Technologies Inc. (WatchGuard) and ASUSTek Computer Inc. (ASUS).” And note that only the command-and-control mechanism was disrupted. Those devices are still vulnerable.

The Justice Department made a point that they did this before the botnet was used for anything offensive.

Four more news articles. Slashdot post.

EDITED TO ADD (4/13): WatchGuard knew and fixed it nearly a year ago, but tried to keep it hidden. The patches were reverse-engineered.

Posted on April 7, 2022 at 9:31 AM9 Comments


SpaceLifeForm April 7, 2022 12:33 PM

Remote access should be disabled by default.

One should properly lockdown the router BEFORE it is put online.

NO remote access, no WPS, All passwords changed, SSIDs changed.

Before you start using it online.

SpaceLifeForm April 7, 2022 2:09 PM

WatchGuard knew and fixed it nearly a year ago, but tried to keep it hidden.

But, the patches were Reverse Engineered.

Will Dormann had a comment:

WatchGuard should have assigned a CVE when they released an update that fixed the vulnerability. They also had a second chance to assign a CVE when they were contacted by the FBI in November. But they waited for nearly 3 full months after the FBI notification (about 8 months total) before assigning a CVE.
This behavior is harmful, and it put their customers at unnecessary risk.

I really wonder how many vendors have insiders at C-level that are pwned.

MarkH April 7, 2022 2:40 PM

Information technology, home of the world’s stupidest smart people! A security appliance endangering security in many countries …

The name is actually a useful clue. “Watch” and “Guard” are synonyms. What kind of mentality stuck them together, to form its corporate identity?

“Fireware” OS?

If you’ve got any of this junk on a network you’re responsible for … You Have Been Warned.

Ted April 7, 2022 4:35 PM

Oh, there’s Sandworm. Making another unsavory appearance. Albeit it was quiet at this stage.

The Cyclops Blink malware seems particularly insidious. The DOJ said the infected network devices could potentially allow Sandworm to conduct malicious actions on all the computers in their network.

@SpaceLifeForm, All

Do you think the FBI had WatchGuard stay on the down low until the NCSC, CISA, FBI, and NSA released their advisory?

Clive Robinson April 7, 2022 5:15 PM

@ lurker,

Don’t buy stuff: make your own.

Some of us have the skills, most however don’t, so they would just follow somebody elses recipe, which apart from the “Home baked” smell is realy very much the same as “store bought” but without the “fit for market” legal protections.

But having cut my own cookies many times, I realised I’m not upto keeping up at “all the levels required” any more. That is the “computing stack”, has many layers and every year another layer of doom or two appears within it. Getting to understand a new layer even one you effectively created is hard. Even just getting your head around one set of code running in any new layer is not a task you want to do unless there is some significant reward in it…

So rather than dealing with what were once anoying mole hills five decades ago, I realised it was now more riding out active volcanos rising up with fire and doom at every step.

The sensible way to deal with volcanos is not to get involved if it’s not your job. Thus you “mitigate” in some way.

Which is why my “mitigation” stratagy with the Internet is the same as it is with active volcanoes, that is to put some safe,distance between what I consider valuable and it. That is not to connect where ever possible indirectly and never directly to the Internet.

What this current case proves in a way, is in ICTsec specifically, and ICT industry in general,

“Nothing you can buy is actually fit for market…”

The recent attack on ViaComm Satellite Terminals shows just what could have easily happened here.

If the only thing manufacturers turn out is effectively “garbage out” then you have to ask where the “garbage in” came from to compleate the GIGO paradigm… Add to that, neither the legislators or law enforcment want to tighten up the market by regulation or action then you can see why many think they are complicit…

That is, if the US pushes insecurity into the world then the US can snoop to it’s hearts content. But when others potentially reciprocate because of inaction by US regulators and law enforcment then law enforcment finally take what is illegal action.

So it begs the question,

“Why not as law enforcment / regulators take market improvment action within US jurisdiction, rather than wait and take illegal action in other non US jurisdictions?”

Hence my desire to keep my valuables out of the illegal activities of US law enforcment hands…

Because lets be honest what trust can you have in the activities of criminals who do not face sanction to wilfully limit their activities?

After all untill recently those Russian Cyber-Criminals and ransomware gangs did not face sanctions either and would you trust them?… Nope me neither…

SpaceLifeForm April 7, 2022 5:31 PM

@ Ted

re: down low

Maybe. I have already seen that argument. Including that it was ordered.

The problem is that the horse (patched firmware) had already left the barn.

Maybe, if it happened, it was actually to investigate other things. I.E., not the firmware itself, but some wetware.

It may have happened, just to give some bad actors a false sense of security.

SpaceLifeForm April 7, 2022 5:43 PM

@ lurker

Yebbut, too many devices nowadays require ‘net access for “registration”, and some functions may not work without it.

Then it is unfit for purpose.

Research before you buy.

If you can not flash open source firmware onto the device, then it is evil.

Sofakinbd April 8, 2022 10:52 AM

Brian Krebs posted on it too:
Actions Target Russian Govt. Botnet, Hydra Dark Market

The U.S. Federal Bureau of Investigation (FBI) says it has disrupted a giant botnet built and operated by a Russian government intelligence unit known for launching destructive cyberattacks against energy infrastructure in the United States and Ukraine. Separately, law enforcement agencies in the U.S. and Germany moved to decapitate “Hydra,” a billion-dollar Russian darknet drug bazaar that also helped to launder the profits of multiple Russian ransomware groups….

Also this week, German authorities seized the server infrastructure for the Hydra Market, a bustling underground market for illegal narcotics, stolen data and money laundering that’s been operating since 2015. The German Federal Criminal Police Office (BKA) said Hydra had roughly 17 million customers, and over 19,000 vendors, with sales amounting to at least 1.23 billion euros in 2020 alone.

In a statement on the Hydra takedown, the U.S. Department of Treasury said blockchain researchers had determined that approximately 86 percent of the illicit Bitcoin received directly by Russian virtual currency exchanges in 2019 came from Hydra.


Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.