MESOP WATCH INTEL NEWS: Dutch intelligence disrupt large-scale botnet belonging to Russian spy agency

MARCH 7, 2022 BY INTELNEWS  – ON MARCH 3, 2022, Dutch newspaper Volkskrant reported that the Dutch Military Intelligence and Security Service (MIVD) took action in response to abuse of SOHO-grade network devices in the Netherlands.

The attacks are believed to have been perpetrated by the Main Intelligence Directorate of the General Staff of the Russian Armed Forces (GRU) Unit 74455. The unit, which is also known as Sandworm or BlackEnergy, is linked to numerous instances of influence operations and sabotage around the world.

The devices had reportedly been compromised and made part of a large-scale botnet consisting of thousands of devices around the globe, which the GRU has been using to carry out digital attacks. The MIVD traced affected devices in the Netherlands and informed their owners, MIVD chief Jan Swillens told Volkskrant. The MIVD’s discovery came after American and British [pdf] services warned in late February that Russian operatives were using a formerly undisclosed kind of malware, dubbed Cyclops Blink. According to authorities, the botnet in which the compromised devices were incorporated has been active since at least June 2019.

Cyclops Blink leverages a vulnerability in WatchGuard Firebox appliances that can be exploited if the device is configured to allow unrestricted remote management. This feature is disabled by default. The malware has persistence, in that it can survive device reboots and firmware updates. The United Kingdom’s National Cyber Security Centre describes Cyclops Blink as a “highly sophisticated piece of malware”.

Some owners of affected devices in the Netherlands were asked by the MIVD to (voluntarily) hand over infected devices. They were advised to replace the router, and in a few cases given a “coupon” for an alternative router, according to the Volkskrant. The precise number of devices compromised in the Netherlands is unclear, but is reportedly in the order of dozens. Swillens said the public disclosure is aimed at raising public awareness. “The threat is sometimes closer than you think. We want to make citizens aware of this. Consumer and SOHO devices, used by the grocery around the corner, so to speak, are leveraged by foreign state actors”, he added.

The disclosure can also be said to fit in the strategy of public attribution that was first mentioned in the Netherlands’ Defense Cyber Strategy of 2018. Published shortly after the disclosure of the disruption by MIVD of an attempted GRU attack against the computer network of the OPCW, the new strategy included the development of attribution capabilities, as well as the development of offensive capabilities in support of attribution. It advocates the view that state actors “that are [publicly] held accountable for their actions will make a different assessment than attackers who can operate in complete anonymity”.