H-ISAC TLP White Threat: Joint Cybersecurity Advisory: New Sandworm Malware Cyclops Blink Replaces VPNFilter

The United Kingdom National Cyber Security Centre (NCSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to here as Cyclops Blink. 

Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers and network-attached storage (NAS) devices.

The NCSC, CISA, and the FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST).

Health-ISAC is issuing a threat bulletin regarding this alert, with additional technical details, indicators of compromise (IOCs), and remediations strategies attached. The original alert, AA22-054A: New Sandworm Malware Cyclops Blink Replaces VPNFilter, can be accessed here.

View the detailed report below.