Why Russian cyber-attackers use modular frameworks for VPNFilter and Cyclops Blink malware

June 17, 2022
APTs have cleverly developed a strategy through modular frameworks allowing them to preserve their own malware “crown jewels.”

Earlier this year, the intelligence agencies of the US and UK accused Sandworm, a cyber-group affiliated with Russia’s GRU intelligence unit, of distributing sophisticated malware that targets Internet-of-Things devices. Dubbed “Cyclops Blink,” the malware replaces an older version called “VPNFilter,” which was one of the largest-scale malware families.

Both VPNFilter and Cyclops Blink are modular frameworks designed for flexible use across a wide range of targets, including firewalls and cyber-physical systems. They are modular in the sense that bad actors can expand the capabilities of the malware by adding additional functionality after deployment, such as searching for sensitive information, changing its signatures, or distributing new variants.

The technical details are interesting and reveal the commitment of the hacking group; its timing indicates the lengths to which Russia will go to conduct cyber-operations simultaneous with the Ukraine invasion.

Cyclops Blink appears identical in purpose to VPNFilter—indiscriminately burrowing its way into WatchGuard firewall network appliances. The framework is most likely written in cross-platform code, meaning it could readily target other network devices running different operating systems or architectures.

This is a concern because, just as we saw with VPNFilter in 2018, malware implanted on networking gear allows it to spread prolifically. Just like a successful virus spreading during a global pandemic, malware families like Cyclops Blink target “superspreaders.” Routers, switches, VPNs are attractive targets to adversaries as they lack basic monitoring, meaning defenders lose the ability to see when they have been compromised, and they provide turnkey access to many other devices within a target network by virtue of their role in routing traffic. Disconcertingly, Cyclops Blink embeds itself into the firmware of the network device, gaining persistence across reboots, and even across legitimate firmware updates.

Advanced persistent threats (APTs) and bad actors like Sandworm employ modular frameworks with their top-tier attack tools for a number of reasons:

  1. The frameworks are harder to detect. By keeping the core persistence module as efficient and streamlined as possible, it is much harder for defenders to write signatures and heuristics against it to detect and block its spread.
  2. They improve attackers’ ability to stealthily embed malware. Using modular frameworks, APTs can gain initial access to their target with a low-value piece of malware called a loader, whose only job is to maintain access and load other malware modules. As an attacker, it isn’t always clear where the malware will land (especially during phishing or supply chain attacks). To avoid a complete loss of a hacking tool, APTs will expose only the most low-value malware components in the event it lands in an easily-detectable attack surface. APTs want to reduce the risk of losing expensive, high-equity modules right away.
  3. They decrease the risk of losing of high-value malware. Modular frameworks allow the APT to keep high-risk capabilities like zero-day privilege escalation or remote-access exploits contained within special modules. These modules are only deployed to targets when the attackers need them. For example, an attacker might discover a computer in a conference room and want to install an audio-capture module. The attacker can send the module to the target computer and the framework will install the new functionality. Since modules are only installed when they’re needed, this lowers the risk of losing expensive, high-risk plugins containing the zero-day and unknown attack techniques.
  4. They’re efficient to build. APTs are made up of talented people skilled in the art of making malware—but those people are also just software developers. These organizations of software developers work in teams, and those teams lend themselves naturally to a plugin framework. One team can work on the core module, another on access, another on the cyber-physical attack module, increasing efficiencies in developing modular frameworks.

APTs have cleverly developed a strategy through modular frameworks allowing them to preserve their own malware “crown jewels.” They will apply these stealthy techniques against high-value targets where victims cannot afford to lose access. Reverse engineering of the VPNFilter malware uncovered that it is designed to gain access to networks and look for Modbus traffic, a protocol widely used within cyber-physical systems in critical infrastructure like power plants, manufacturing, large ships, and water treatment facilities. VPNFilter would deploy a Modbus-specific framework module to cause serious damage to industrial-control systems, or leverage other modules to manipulate traffic, destroy endpoints, or create pivot points to gain access to other connected systems.

As a modular framework closely modeled on VPNFilter, Cyclops Blink will undoubtedly support plug-in modules for attacking critical infrastructure. Unsurprisingly, VPNFilter and Cyclops Blink support the exact same tactics, techniques, and procedures associated with Sandworm. Seeing new frameworks rise to the surface from the GRU is completely expected during a time of geopolitical conflict.

In mid-2018, the Department of Justice caused significant disruptions to the VPNFilter family and caused Russia’s GRU to retool their framework. Meanwhile, Sandworm was linked to Ukraine blackouts due to the BlackEnergy malware in 2015 and Industroyer malware in 2016, as well as NotPetya ransomware in 2017.

It’s highly encouraging to see international collaboration to call out Russian cyber-behavior. That the UK joined the US in releasing threat intelligence about Cyclops Blink is a testament to the Five Eyes intelligence alliance. The UK’s GCHQ is an imminently capable intelligence organization and undoubtedly contributed in a significant way to Cyclops Blink threat-intelligence gathering.

By Josh Lospinoso, co-founder and CEO of Shift5