FBI Preempted Russian Cyberattack

The US conducted a preemptive strike against the GRU's systems.

Reuters (“U.S. FBI says it disrupted Russian hackers“):

The U.S. Federal Bureau of Investigation has wrested control of thousands of routers and firewall appliances away from Russian military hackers by hijacking the same infrastructure Moscow’s spies were using to communicate with the devices, U.S. officials said on Wednesday.

An unsealed redacted affidavit described the unusual operation as a pre-emptive move to stop Russian hackers from mobilizing the compromised devices into a “botnet” – a network of hacked computers that can bombard other servers with rogue traffic.

“Fortunately, we were able to disrupt this botnet before it could be used,” U.S. Attorney General Merrick Garland said.

The Russian Embassy in Washington did not immediately return an email seeking comment.

The targeted botnet was controlled through malware called Cyclops Blink, which U.S. and UK cyberdefense agencies had publicly attributed in late February to “Sandworm,” allegedly one of the Russian military intelligence service’s hacking teams that has repeatedly been accused of carrying out cyberattacks. Cyclops Blink was designed to hijack devices made by WatchGuard Technologies Inc (WTCHG.UL) and ASUSTeK Computer Inc (2357.TW), according to research by private cybersecurity firms. It provides Russian services with access to those compromised systems, offering the ability to remotely exfiltrate or delete data or turn the devices against a third party.

Watchguard issued a statement confirming it worked with the U.S. Justice Department to disrupt the botnet but did not disclose the number of devices affected – saying only that they represented “less than 1 percent of WatchGuard appliances.”

AsusTek, better known as Asus, did not immediately return messages seeking comment.

FBI Director Chris Wray told reporters the FBI, with court approval, secretly reached into thousands of routers and firewall appliances to delete the malware and reconfigure the devices. “We removed malware from devices used by thousands of mostly small businesses for network security all over the world,” Wray said. “We shut the door the Russians had used to get into them.”

The affidavit noted that U.S. officials launched an awareness campaign “to inform owners of WatchGuard devices of the steps they should take to remediate infections or vulnerabilities” and yet less than half the devices had been fixed to expel the hackers. The affidavit noted that the FBI had carried out its work in cooperation with WatchGuard.

NYT (“U.S. Says It Secretly Removed Malware Worldwide, Pre-empting Russian Cyberattacks“) adds:

The United States said on Wednesday that it had secretly removed malware from computer networks around the world in recent weeks, a step to pre-empt Russian cyberattacks and send a message to President Vladimir V. Putin of Russia.

The move, made public by Attorney General Merrick B. Garland, comes as U.S. officials warn that Russia could try to strike American critical infrastructure — including financial firms, pipelines and the electric grid — in response to the crushing sanctions that the United States has imposed on Moscow over the war in Ukraine.

The malware enabled the Russians to create “botnets” — networks of private computers that are infected with malicious software and controlled by the G.R.U., the intelligence arm of the Russian military. But it is unclear what the malware was intended to do, since it could be used for everything from surveillance to destructive attacks.

An American official said on Wednesday that the United States did not want to wait to find out. Armed with secret court orders in the United States and the help of governments around the world, the Justice Department and the F.B.I. disconnected the networks from the G.R.U.’s own controllers.

The NYT report, by Kate Conger and David Sanger, anticipates my reaction:

President Biden has repeatedly said he would not put the U.S. military in direct conflict with the Russian military, a situation he has said could lead to World War III. That is why he refused to use the U.S. Air Force to create a no-fly zone over Ukraine or to permit the transfer of fighter jets to Ukraine from NATO air bases.

But his hesitance does not appear to extend to cyberspace. The operation that was revealed on Wednesday showed a willingness to disarm the main intelligence unit of the Russian military from computer networks inside the United States and around the world. It is also the latest effort by the Biden administration to frustrate Russian actions by making them public before Moscow can strike.

Even as the United States works to prevent Russian attacks, some American officials fear Mr. Putin may be biding his time in launching a major cyberoperation that could strike a blow at the American economy.

Until now, American officials say, the primary Russian cyberactions have been directed at Ukraine — including “wiper” malware designed to cripple Ukrainian government offices and an attack on a European satellite system called Viasat. The details of the satellite attack, one of the first of its kind, are of particular concern to the Pentagon and American intelligence agencies, which fear it may have exposed vulnerabilities in critical communications systems that the Russians and others could exploit.

While the administration has, rightly in my view, ruled out direct kinetic confrontation with Russia, ruling out not only “boots on the ground” but a US-manned no-fly zone, the fact of the matter is that we’re very much belligerents in the war on the side of Ukraine. We’re supplying weapons and ISR support that are directly leading to the deaths of Russian soldiers. It would not be the least bit surprising if Russia decided to hit back.

The rules of cyber escalation are still soft. Going back to at least the Obama administration, the United States has publicly reserved the option to respond to cyberattacks via military action. Presumably, this is intended for attacks on critical infrastructure that pose a direct threat to life. Still, it’s easy to fathom one side launching a cyberattack that it believed short of the red line that would lead to a kinetic response and the receiving party believed otherwise.

As always when authorities announce their success in stopping an attack, we really don’t know whether an attack was coming, much less how much damage it would have caused. Under the circumstances, though, Justice (presumably with direct approval from the President) was almost certainly right in not waiting to find out.

FILED UNDER: Intelligence, National Security, World Politics, , , , , , , , , , , , ,
James Joyner
About James Joyner
James Joyner is Professor and Department Head of Security Studies at Marine Corps University's Command and Staff College. He's a former Army officer and Desert Storm veteran. Views expressed here are his own. Follow James on Twitter @DrJJoyner.


  1. Lounsbury says:

    Reading the news in the AM, the first thought was that the Biden Administration has taken away some lessons on selective Intel use in PR war from the run up. Seems useful.

  2. DK says:

    What is the strategy behind making this public? Defense people, explain.

  3. Jen says:

    @DK: I’m not a defense expert by any stretch, but I’m guessing that it’s all part of the strategy Biden’s been following since the beginning of the war.

    Putin’s typical MO is to use the GRU to destabilize and then use that destabilization as a rationale for his actions. By making the intent public, it’s stripping Putin of his “excuses.”

    It’s an unusual tactic, but it appears to be working rather well.

    Accurate U.S. intelligence did not stop Putin, but it gave Biden big advantages.

  4. Scott says:

    I saw this on the news yesterday but it also referenced the FBI office in Pittsburgh.

    Pittsburgh? Found this article:

    Feds announce disruption of Russian malware attack in operation aided by Pittsburgh FBI, U.S. Attorney’s office

    The U.S. Department of Justice announced a series of measures Wednesday to combat Russian criminal activity, including an operation to disrupt a malware program that officials said would have allowed the Russian government to control thousands of infected security devices around the world.

    The operation to disrupt the “Cyclops Blink” malware was led by the FBI in Pittsburgh, Atlanta and Oklahoma City, and the U.S. Attorney’s office in Pittsburgh.

    Special Agent in Charge Mike Nordwall of the FBI’s Pittsburgh Field Office said the FBI is committed to combating Russia’s criminal efforts.

    “The FBI prides itself on working closely with our law enforcement and private sector partners to expose criminals who hide behind their computer and launch attacks that threaten Americans’ safety, security and confidence in our digitally connected world,” Nordwall said.

    “Private sector partners”. Carefully not mentioned. I’m guessing Carnegie-Mellon and the Software Engineering Institute (SEI), a DoD Federally Funded Research and Development Center.

  5. James Joyner says:


    “Private sector partners”. Carefully not mentioned. I’m guessing Carnegie-Mellon and the Software Engineering Institute (SEI), a DoD Federally Funded Research and Development Center.

    Possibly—but I just took it to mean the Watchguard and possibly ASUS.

  6. Scott says:

    @James Joyner: Also possible. I don’t know how the FBI is structured. There may be various FBI centers of expertise around the country that focus on specific issues like financial crimes, accounting fraud, etc.

  7. Michael Reynolds says:

    Rather a parallel to the Russian experience in Ukraine, isn’t it? Cocky little comrades who think they’re playing Genghis in China and turn out to be playing Mussolini in Ethiopia. Who’d have ever guessed that the country which gave the world Google, Apple, Intel, Microsoft, Cisco and many other innovative tech companies, would have its own hackers? The GRU vs. Silicon Valley. Only the Russians are arrogant and clueless enough to believe they’d win that fight.

    Steven Colbert has been deliberately and with a malicious Boomer wink, reviving old Soviet-era jokes with the recurring punchline, “Is potato.” Russia really is just a Texaco station with nukes.

  8. Mr. Prosser says:

    @Michael Reynolds: Dipsticks with WMDs. Aye, and there’s the rub.

  9. Jay L Gischer says:

    I like Scott’s take on why Pittsburgh. CMU was my first thought, too. Asus’ world HQ is in Taipei, and their US HQ is in Fremont, CA. It could also be that they just allow regionals to develop expertise of various types, too.

    I recall about 5 years ago the FBI put out a request to everyone to reboot their home router/modem. (easier than specifying types). It was to get rid of an invader that was of suspected Russian origin. Interestingly enough, this generation of worms would get its instruction from metadata of an image hosted on some public image service. The FBI figured this out, and took control of the image, changed the metadata so that when it woke up an looked for instructions, it would shut itself down.

    This cat and mouse has been going on for quite some time.

  10. Gustopher says:

    Still, it’s easy to fathom one side launching a cyberattack that it believed short of the red line that would lead to a kinetic response and the receiving party believed otherwise.

    I think this operation — which can be loosely explained as running antivirus software on computers without the owners knowledge or consent — falls well below any red line.

  11. James Joyner says:

    @Gustopher: Oh, for sure. It’s just that we’re treating cyber differently than we are conflict in the physical domains, in that we’re willing to engage directly rather than through proxies.

  12. Jamie says:

    I imagine the justification Biden will use is that Cyclops Blink could and would target US infrastructure. After all, it’s the FBI that was involved, not the CIA, even though the security researchers are global.

    The fun part is that it’s not clear exactly how this “disconnection” was achieved; I’m not a security researcher, but I can only think of two ways: either they got into the GRU’s systems, which is possible but unlikely and also a brittle solution, or they leveraged the backdoors that they themselves have in devices all over the world. That latter one, if true, is a ruckus waiting to happen.

    Here’s a much better explanation of Cyclops Blink, dated mid-March: https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers–.html

  13. JohnSF says:

    Amusing that Russia is getting hacked seven ways to Sunday by Anonymous.

    Ukraine has a huge hacker geek culture, at least partially (in the past) interlinked to Russian hackerdom.
    NSA and GCHQ et al are good at what they do.
    Cross pollinate with all the ‘hats at Big Tech, security firms, and academia…

    Also: a lot of the Russian state hacking activity crosses over into mafiya moneymaking.
    They just couldn’t resist using their best exploits for ransomware and other f@ckery.
    “Out of time, out of luck, out of ammunition.”