Sandworm APT Hunts for ASUS Routers with Cyclops Blink Botnet

The Russian-speaking APT behind the NotPetya attacks and the Ukrainian power grid takedown could be setting up for additional sinister attacks, researchers said.

The modular botnet known as Cyclops Blink, linked to the same advanced persistent threat (APT) behind the NotPetya wiper attacks, is expanding its device targeting to include ASUS routers.

Further, it’s likely that the botnet’s purpose is far more sinister than the average Mirai-knockoff’s penchant for distributed denial-of-service (DDoS) attacks.

That’s the word from Trend Micro researchers, who noted that Cyclops Blink casts a wide net in terms of the owners of the devices it chooses to infect, with no specific focus on high-value government or diplomatic entities. While that’s out of step with typical APT behavior, researchers said that it’s likely the botnet will be used as persistent infrastructure for mounting further attacks on high-value targets, and as such, should be indiscriminately distributed for maximum effect.

“It should be noted that these victims do not appear to be evidently valuable targets for either economic, military or political espionage,” according to the firm’s analysis. “For example, some of the live command-and-control servers (C2s) are hosted on WatchGuard devices used by a law firm

Read More: