The successful pre-emptive FBI attack that stopped a Russian government-backed botnet that aimed to take down SMB and home office networks is a historic moment in the battle to protect Main Street from foreign cybersecurity attacks. the MSPs said.
“This is an incredible time for MSPs,” David Stinner, president of Buffalo, New York-based MSP US itek, said in reaction to the FBI operation. “The US government has just launched a preemptive strike against Russian hackers benefiting MSPs around the world. It’s great to know that the FBI is protecting us with this type of cyber warfare. Kinetic warfare is the war of the past. Cyber warfare is the war of the future. I am delighted that we have the United States government protecting us from these types of attacks.”
[RELATED: Intel Suspending All Operations In Russia And Belarus]
Stinner’s comments came after the FBI revealed that it had proactively removed malware from devices used by thousands of businesses, mostly small businesses, that used WatchGuard appliances, primarily firewalls.
FBI Director Christopher Wray said the sophisticated, court-authorized operation disrupted a “botnet of thousands of Russian government-controlled devices before it could do any damage.”
The FBI removed the malware and then “closed the door that the Russians had used to get in,” Wray said, according to a transcript of remarks given at a news conference Wednesday. He said the botnet that was disrupted was built by the GRU, the Russian government’s military intelligence agency. Specifically, he singled out the GRU Sandworm team.
The Sandworm team had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies Firebox appliances — primarily firewalls, typically deployed in home office environments and small and medium-sized businesses, Wray said.
The FBI worked closely with WatchGuard to “analyze malware and develop detection tools and remediation techniques over the past few weeks,” Wray said.
“Our operation removed Russia’s ability to control these Fireboxes in the botnet and then copied and removed the malware from the infected devices,” he said.
Wray warned that any Firebox devices acting as bots “may remain vulnerable in the future” until mitigated by users. “Those owners should still go ahead and take WatchGuard’s recommended detection and remediation steps as soon as possible,” he said.
Stinner said he believes an out-of-band emergency patch from his firewall vendor, which he did not name for fear of inciting an attack, may have been related to the FBI operation. “We’ve never seen this kind of urgency from a firewall vendor,” she said.
Stinner’s message to other MSPs: “You should be aware of notifications from your firewall vendor and pay attention to any urgent updates immediately. You need to make sure you can instantly patch all your firewalls from a single pane of glass with a single click instead of blocking them one by one.”
The FBI operation marks the beginning of a new era in the ongoing battle MSPs are waging to protect themselves and SMBs from all kinds of attacks, including nation-state attacks, Stinner said.
“Large companies have invested heavily in cyber security and their defenses are high,” he said. “They are more difficult to attack. This was an attempt by Russia to inflict maximum chaos on the US economy by bringing down small businesses. This could have potentially impacted millions of small businesses. The Russian government was looking to bring down Main Street and targeted WatchGuard devices. If Russia was successful, this could have caused massive chaos.”
Michael Goldstein, president and CEO of Fort Lauderdale, Florida-based MSP LAN Infotech, applauded the FBI for working closely with WatchGuard to take “measures” to prevent what could have been a devastating attack.
“Looks like the firewalls were there, [and they were] planting malware that were botnets that went out and reported [to the hackers],” he said.
Goldstein said he sees the close cooperation between the FBI and Watchguard as the “start of bigger things” in the ongoing battle to protect businesses.
WatchGuard said it was notified by the FBI and the UK National Cyber Security Center on November 30, 2021 of their ongoing international investigation into Cyclops Blink.
A WatchGuard spokesperson said the company played a “significant role” in eliminating the threat posed by Cyclops Blink by “rapidly rolling out detection and remediation tools to protect its partners and customers” following the malware’s disclosure by part of the government. “The company’s close collaboration with its partner and customer communities was critical to mitigating this sophisticated state-sponsored threat, which affected less than 1 percent of WatchGuard devices,” the spokesperson said.
WatchGuard had issued Cyclops Blink detection tools and what it called a “4-Step Cyclops Blink Diagnostic and Remediation Plan” on February 23 to help partners and customers diagnose and remediate the threat.
In addition to WatchGuard, Asus, which has a sizeable share of the home Wi-Fi router market, issued security advisories with software updates related to Cyclops Blink for its home Wi-Fi routers. CRN contacted Asus but had not received a response at the time of publication.
Mike Turicchi, vice president of Gainesville, Virginia-based NCS Technologies, said the FBI’s ability to step in to protect MSPs and their customers is impressive. “The fact that the FBI can secretly access devices and remotely reconfigure them without a trace is both reassuring and terrifying,” he said. “I am very impressed to learn that the FBI is so good. It also makes me wonder if our adversaries have the same capabilities. Sounds like a Tom Clancy book in the making.”
CJ Fairfield and Jay Fitzgerald contributed to this story.