Successful operations against Russian Sandworm and Strontium groups targeting Ukraine revealed

The US Department of Justice (DoJ) and Microsoft have taken the sting out of two operations believed to be controlled by the Russian Federation’s Main Intelligence Directorate (GRU).

On Wednesday, the DOJ announced that it had disrupted GRU’s control over thousands of internet-connected firewall devices compromised by the Russian Sandworm group.

One day later, Microsoft disclosed information about the steps it took to disrupt cyberattacks it had seen targeting Ukraine. These attacks came from Strontium, another GRU-connected threat actor.

In light of world news, it’s important to note that the Sandworm group has always been known to target Ukrainian companies and government agencies. It has been held responsible for destroying entire Ukrainian networks, triggering blackouts by targeting electrical utilities, and releasing the NotPetya malware.

Shutdown operation

Although the DOJ announcement came just two days ago, the takedown operation actually occured a little earlier, in March 2022. And the story starts before that, with a joint advisory released on 23 February by law enforcement agenices in the UK and the USA, about Cyclops Blink malware targeting network devices manufactured by WatchGuard and ASUS.

Cyclops Blink surfaced as a replacement for VPNFilter malware, which the DOJ disrupted with an operation in 2018. Both Cyclops Blink and VPNFilter are generally attributed to the Sandworm group, which has always been seen as a Russian state-sponsored actor.

On the same day the advisory was released, WatchGuard published a diagnosis and remediation plan, and ASUS released its own guidance. However, despite their advice, a botnet of “thousands of infected network hardware devices” running Cyclops Blink remained.

In March the DOJ set out to fix that by targeting the Command and Control (C2) servers that orchestrated the botnet. The department says it did this by copying and removing Cyclops Blink malware from the C2 devices, and closing the external management ports that the Sandworm group used to access them.

WatchGuard users that need the external management ports can reverse the closure through a device restart, but they are advised to follow this knowledge base article about remote management.

Although this stopped Sandworm from controlling the thousands of compromised WatchGuard and ASUS devices, it did not remove the malware from them.

According to Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division:

This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal. By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity.


On the same day that the DOJ announced its Cyclops Blink takedown, Microsoft obtained a court order authorizing it to take control of seven internet domains being used by the Strontium group.

The Strontium group, often referred to as Fancy Bear or APT28, is another GRU-connected threat actor known to target Ukrainian institutions, as well as government institutions and think-tanks in the United States and the European Union involved in foreign policy.

After taking control of the domains, Microsoft re-directed them to a sinkhole under its control. A sinkhole is a way of redirecting malicious internet traffic so that it can be captured and analyzed by security professionals. Sinkholes are most often used to seize control of botnets.

Microsoft describes this disruption as part of an ongoing long-term campaign, started in 2016, to take legal and technical action to seize infrastructure used by Strontium. The company has established a legal process that enables it to obtain rapid court decisions for this work. Prior to this week, it says it had taken action through this process 15 times to seize control of more than 100 Strontium controlled domains.

Good riddance

While these attacks are just a small part of the cyber-activity we are seeing in Ukraine, it does help to take out a few of these active major threats.

The FBI is urging people to contact their local field office if they believe they have a compromised device. The agency says it “ontinues to conduct a thorough and methodical investigation into this cyber incident.”

The post Successful operations against Russian Sandworm and Strontium groups targeting Ukraine revealed appeared first on Malwarebytes Labs.