The FBI silently removed Russian malware to thwart global cyberattacks

Sometimes even without the network owner's knowledge.


Attorney General Merrick Garland has revealed that the United States secretly removed malware from computer networks around the world over the past few weeks to pre-empt Russian cyberattacks. As The New York Times reports, Garland's announcement comes shortly after the White House warned companies that Russia could attack critical infrastructure in the country, such as financial institutions and the electric grid. Apparently, the malware the US removed enabled the intelligence arm of the Russian military called the GRU to create botnets out of the infected computer networks.

According to the Justice Department, the malware was designed to infect firewalls and made the compromised networks part of a botnet called Cyclops Blink. It's controlled by Sandworm, a notorious group that the US government had previously connected to the GRU. Cyclops Blink is Sandworm's latest known botnet, and it only came to light back in February. It's still unclear what Russia was planning to do with the hijacked computers, but botnets are typically used to perform large-scale Distributed Denial of Service (DDoS) attacks, as well as to send spam and to compromise sensitive information.

In its press release, the DOJ said the FBI notified owners of infected devices in the US before Cyclops Blink was identified in February 23rd. It also notified companies outside the country through local law enforcement partners. However, US authorities didn't want to wait to find out what the botnet would be used for.

The Justice Department and the FBI obtained secret court orders in the US and secured the help of governments worldwide to quietly remove the malware from infected devices. Those court orders even gave them the power to remotely remove the malware from American companies' networks without their knowledge. After the feds disinfected the compromised machines, they also closed the external management ports Sandworm was using for access.

Over the past months, the Biden administration has been exposing as much intelligence on Russia as possible without giving away its actions to catch Putin off guard. This disclosure is just its latest effort to send a message to the Russian president. The fact that Sandworm infiltrated networks around the world to create a botnet just shows, however, that there's a cyber warfare going on that might end up affecting countries other than Ukraine. If you'll recall, a major cyberattack took down Ukraine's government websites before the Russian invasion of the country began. Ukraine's government, as well as US and UK authorities, blamed the attacks on the GRU.