The U.S. government has disclosed information regarding the disruption of the Cyclops Blink botnet, before it could be weaponized. The botnet is managed by the Russian-based Sandworm threat group.

The disruption of the botnet

Sandworm has reportedly been developing this botnet since June 2019. 
  • Working with international partners, the U.S. government detected the infection of thousands of network hardware devices, mostly comprising WatchGuard Firebox firewall and ASUS routers.
  • The FBI has alerted owners of the infected devices by coordinating with foreign law enforcement partners before removing the botnet.
  • According to the FBI Director, the botnet was disrupted after close cooperation with Watchguard while analyzing the malware to develop detection tools and remediation techniques.

After the U.S. Justice Department operation's initial court authorization was given on March 18, the botnet infection was fully removed from all identified Watchguard devices.

A brief about Sandworm

Here is a quick summary of Sandworm’s operations:
  • Sandworm has been active since the mid-2000s. Its operators are believed to be Russian military hackers members of Unit 74455 of GRU's Main Center for Special Technologies (GTsST).
  • It is thought to be behind several global cyber incidents, including the BlackEnergy disruption of Ukrainian electricity in 2015, the Industroyer attack in 2016, and the NotPetya attack in 2017.


The disruption of Cyclops Blink botnet is indeed good news and shows how close cooperation between government and private organizations is against cyber threats. Further, the FBI suggested adopting Watchguard's detection and remediation steps for remediating any infection by the malware.
Cyware Publisher