Cyclops Blink malware: US and UK authorities issue alert

Cyclops Blink malware: US and UK authorities issue alert

According to a joint security advisory published yesterday by US and UK cybersecurity and law enforcement agencies, a new malware called Cyclops Blink has surfaced to replace the VPNFilter malware attributed to the Sandworm group, which has always been seen as a Russian state-sponsored group.

Cyclops Blink

The alert issued by the Cybersecurity & Infrastructure Security Agency(CISA) and an analysis publishedby the UK’s National Cyber Security Center(NCSC) show Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) for this new malware.

Cyclops Blink has primarily been deployed to networking hardware company WatchGuard’s devices. According to WatchGuard, Cyclops Blink may have affected approximately 1% of active firewall appliances, which are devices mainly used by business customers.

Cyclops Blink has been found in WatchGuard’s firewall devices since at least June 2019. But the NCSC warns that it is likely that Sandworm is capable of compiling the same or very similar malware for other architectures and firmware. The attackers were able to infect their devices via a WatchGuard vulnerability that was patched in a May 2021 update.

The analysis says Cyclops Blink malware also comes with modules specifically developed to upload/download files to and from its command and control server, collect and exfiltrate device information, and update the malware. The presence of a Cyclops Blink infection does not mean that an organization is the primary target, but its machines could be used to conduct attacks on others. Either way, it is in your best interest to disconnect and remediate any affected devices.


In light of world news, it’s important to note that the Sandworm group has been known to target Ukrainian companies and government agencies. They were held responsible for destroying entire Ukrainian networks, triggering blackouts by targeting electrical utilities in the Ukraine (BlackEnergy malware), and releasing the NotPetya malware. NotPetyais the name given to a later version of the Petya malware that began spreading rapidly, with infection sites focused in Ukraine, but from there it also spread across Europe and beyond.

Among the latest attacks on Ukraine was a distributed denial of service (DDoS) attack. Cyberattacks, such as DDoS attacks, fall under the traditional categories of sabotage, espionage and subversion. So far, we can see the results of these attacks as several of Ukraine’s bank and government department websites crashed, and earlier this week some 70 Ukrainian government websites underwent the same fate.

As we learned from NotPetya, these attacks can spread around the world. NotPetya affected computer networks worldwide, targeting hospitals and medical facilities in the United States, and costing more than US$1 billion in losses.


CISA and the NCSC both describe the Cyclops Blink malware as a successor to an earlier Sandworm tool known as VPNFilter, which infected half a million routers to form a global botnet before it was identified by Cisco and the FBI in 2018 and largely dismantled. It never fully disappeared, and the Sandworm group has since shown limited interest in existing VPNFilter footholds, instead preferring to retool.

VPNFilter was deployed in stages, with most functionality in the third-stage modules. These modules enabled traffic manipulation, destruction of the infected host device, and likely enabled downstream devices to be exploited.

Mitigation and detection

WatchGuard firewall appliances are not at risk if they were never configured to allow unrestricted management access from the Internet which is the default setting for all WatchGuard’s physical firewall appliances. Internet access to the management interface of any device is a security risk.

All WatchGuard appliances should be updated to the latest version of Fireware OS.

When it comes to infected appliances, Cyclops Blink persists on reboot and throughout the legitimate firmware update process. So, affected organizations should take steps to remove the malware. WatchGuard customers and partners can eliminate the potential threat posed by malicious activity from the botnet by immediately enacting WatchGuard’s 4-Step Cyclops Blink Diagnosis and Remediation Plan.

Owners of infected appliances will also need to update the passphrases for the Status and Admin device management accounts and replace any other secrets, credentials, and passphrases configured on the appliance. All accounts on infected devices should be assumed to be compromised.

Heightened awareness of Cyclops Blink and other malware attacks that may be aimed at the Ukraine is required. This is true for everyone involved in cybersecurity by the way, not just owners of WatchGuard appliances.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.