CISA Cybersecurity Alerts 2.23.22
Ep 4 | 2.23.22

CISA Alert AA22-054A – New Sandworm malware “Cyclops Blink” replaces VPNFilter.


This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Zero Five Four Alpha.

​​Original release date: February Twenty Third, twenty twenty two.


CISA, the UK’s National Cyber Security Centre, the NSA, and the FBI have found the APT actor known as Sandworm or Voodoo Bear using a new modular malware framework called Cyclops Blink. CISA, NCSC, and the FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate, also known as the GRU.


Cyclops Blink appears to be a replacement framework for the VPN Filter malware exposed in 2018 that exploited network devices, primarily small office home office, or SOHO, routers and network attached storage devices.


This advisory provides detail on Cyclops Blink and the associated tactics, techniques and procedures used by Sandworm. An NCSC malware analysis report on Cyclops Blink is also provided.


The malware is sophisticated and modular with basic core functionality that allows infected device information to be sent back to a control server and malicious files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as needed.


Cyclops Blink and has been deployed since at least June 2019. Similar to VPNFilter, the use of Cyclops Blink also appears indiscriminate and widespread. The threat actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that the threat actor is capable of compiling the malware for other architectures and firmware.


The alert documentation linked in the show notes provides specific mitigation actions, malware data, and indicators of compromise. The documentation also includes a full MITRE ATT&CK framework mapping of the threat actor TTPs.


All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or


This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.


This has been a CISA Cybersecurity Alert.