
Botnet activity warnings last month came from from U.S. and U.K. cybersecurity agencies has expanded to a second type of hardware, according to researchers at Trend Micro.
The CyclopsBlink malware is now targeting routers from hardware maker ASUS, the researchers said Thursday, after first being discovered on Firebox devices from WatchGuard. Both manufacturers have issued security bulletins to customers.
The U.K. NCSC and the U.S. CISA, NSA and FBI linked the botnet to the state-backed Russian advanced persistent threat (APT) group known as Sandworm.
Though the attackers have been blamed in numerous major incidents; researchers so far have not tied CyclopsBlink to any high-profile targets. The botnet seems to be oriented toward propagating itself, in part by turning compromised devices into C&C servers for other bots, Trend Micro said.
Our data also shows that although Cyclops Blink is a state-sponsored botnet, its C&C servers and bots affect WatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage. Hence, we believe that it is possible that the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks on high-value targets.
Trend Micro Statement
Trend Micro said a third manufacturer’s devices could be a CyclopsBlink target, “but so far we have been unable to collect malware samples for this router brand.”.
CyclopsBlink is a modular, meaning that once the botnet persists on a device, the malware can be used for other, more intrusive activities. Nearly 200 victims from typical countries of infected WatchGuard devices and Asus routers are the United States, India, Italy, Canada, and a long list of other countries, including Russia,