The Cyclops Blink botnet malware, first spotted last month infecting Firebox small-business network-security appliances made by WatchGuard, now targets more than a dozen Asus home Wi-Fi routers, Trend Micro said. Infected devices have been detected in “the United States, India, Italy, Canada” and even Russia itself. Even worse, Trend Micro believes that Asus may not be the only router brand affected.  “We have evidence that other routers are affected too, but … we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and Asus,” researchers Feike Hacquebord, Stephen Hilt and Fernando Merces wrote. “This malware is modular in nature and it is likely that each vendor has different modules and architectures that were thought out well by the Cyclops Blink actors.”

Sandworm strikes again

Cyclops Blink, sometimes written CyclopsBlink, is made and controlled by the Sandworm group, which is thought to be run by Russian military intelligence. Sandworm (a Dune reference) first rose to notoriety when the group attacked Ukrainian power plants in 2014.  The Sandworm group was also likely responsible for the massive “Petya” (or “NotPetya”) wave of ransomware-worm attacks in June 2017, which initially targeted Ukraine but quickly spread across the world. There’s even a book about Sandworm (opens in new tab).  But the true predecessor to Cyclops Blink is VPNFilter, a different router-based botnet made by the Sandworm group that targeted Asus, D-Link, Linksys, MikroTik, Netgear, TP-Link and Ubiquiti routers in the summer of 2018. VPNFilter is still infecting routers that haven’t been patched with new firmware. Trend Micro’s researchers thinks that the Asus routers aren’t actually the Cyclops Blink hackers’ ultimate targets. Instead, the routers are likely being prepared to be used as tools in larger attacks, possibly in conjunction with the ongoing Russian-Ukrainian war. “Our data also shows that although Cyclops Blink is a state-sponsored botnet, its [command-and-control] servers and bots affect WatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage,” they wrote.  “Hence, we believe that it is possible that the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks on high-value targets.”

As with VPNFilter, the Cyclops Blink botnet malware will survive a reboot. The only way to truly immunize your vulnerable ASUS router is to factory-reset it and then update the router’s firmware to a safe version. Make sure you write down the names and passwords for your home wireless networks before you do the factory reset. Afterward, set up the router again with the same network information so that all your devices can re-connect easily. Here’s the list of affected ASUS routers, with vulnerable firmware. Please note that the last three devices are marked as “end-of-life” (EOL) and will NOT be getting firmware updates to protect against Cyclops Blink. If you have one of those three, it’s time to go through our list of best Wi-Fi routers and buy a new one.

GT-AC5300 firmware under 3.0.0.4.386.xxxxGT-AC2900 firmware under 3.0.0.4.386.xxxxRT-AC5300 firmware under 3.0.0.4.386.xxxxRT-AC88U firmware under 3.0.0.4.386.xxxxRT-AC3100 firmware under 3.0.0.4.386.xxxxRT-AC86U firmware under 3.0.0.4.386.xxxxRT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxxRT-AC66U_B1 firmware under 3.0.0.4.386.xxxxRT-AC3200 firmware under 3.0.0.4.386.xxxxRT-AC2900 firmware under 3.0.0.4.386.xxxxRT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxxRT-AC87U (EOL)RT-AC66U (EOL) (also affected by VPNFilter)RT-AC56U (EOL)

The ASUS security advisory (opens in new tab) says that “If you have already installed the latest firmware version, please disregard this notice.” However, since Trend Micro found evidence that Cyclops Blink has been quietly infecting devices “since at least June 2019,” it wouldn’t hurt to factory-reset your router regardless. Here are ASUS’ instructions, with some clarifications from us:

Asus Wi Fi routers attacked by Russian military hackers   what to do now - 89Asus Wi Fi routers attacked by Russian military hackers   what to do now - 13Asus Wi Fi routers attacked by Russian military hackers   what to do now - 73Asus Wi Fi routers attacked by Russian military hackers   what to do now - 87Asus Wi Fi routers attacked by Russian military hackers   what to do now - 86Asus Wi Fi routers attacked by Russian military hackers   what to do now - 57Asus Wi Fi routers attacked by Russian military hackers   what to do now - 59


title: “Asus Wi Fi Routers Attacked By Russian Military Hackers What To Do Now” ShowToc: true date: “2022-12-12” author: “Mary Vu”


The Cyclops Blink botnet malware, first spotted last month infecting Firebox small-business network-security appliances made by WatchGuard, now targets more than a dozen Asus home Wi-Fi routers, Trend Micro said. Infected devices have been detected in “the United States, India, Italy, Canada” and even Russia itself. Even worse, Trend Micro believes that Asus may not be the only router brand affected.  “We have evidence that other routers are affected too, but … we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and Asus,” researchers Feike Hacquebord, Stephen Hilt and Fernando Merces wrote. “This malware is modular in nature and it is likely that each vendor has different modules and architectures that were thought out well by the Cyclops Blink actors.”

Sandworm strikes again

Cyclops Blink, sometimes written CyclopsBlink, is made and controlled by the Sandworm group, which is thought to be run by Russian military intelligence. Sandworm (a Dune reference) first rose to notoriety when the group attacked Ukrainian power plants in 2014.  The Sandworm group was also likely responsible for the massive “Petya” (or “NotPetya”) wave of ransomware-worm attacks in June 2017, which initially targeted Ukraine but quickly spread across the world. There’s even a book about Sandworm (opens in new tab).  But the true predecessor to Cyclops Blink is VPNFilter, a different router-based botnet made by the Sandworm group that targeted Asus, D-Link, Linksys, MikroTik, Netgear, TP-Link and Ubiquiti routers in the summer of 2018. VPNFilter is still infecting routers that haven’t been patched with new firmware. Trend Micro’s researchers thinks that the Asus routers aren’t actually the Cyclops Blink hackers’ ultimate targets. Instead, the routers are likely being prepared to be used as tools in larger attacks, possibly in conjunction with the ongoing Russian-Ukrainian war. “Our data also shows that although Cyclops Blink is a state-sponsored botnet, its [command-and-control] servers and bots affect WatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage,” they wrote.  “Hence, we believe that it is possible that the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks on high-value targets.”

As with VPNFilter, the Cyclops Blink botnet malware will survive a reboot. The only way to truly immunize your vulnerable ASUS router is to factory-reset it and then update the router’s firmware to a safe version. Make sure you write down the names and passwords for your home wireless networks before you do the factory reset. Afterward, set up the router again with the same network information so that all your devices can re-connect easily. Here’s the list of affected ASUS routers, with vulnerable firmware. Please note that the last three devices are marked as “end-of-life” (EOL) and will NOT be getting firmware updates to protect against Cyclops Blink. If you have one of those three, it’s time to go through our list of best Wi-Fi routers and buy a new one.

GT-AC5300 firmware under 3.0.0.4.386.xxxxGT-AC2900 firmware under 3.0.0.4.386.xxxxRT-AC5300 firmware under 3.0.0.4.386.xxxxRT-AC88U firmware under 3.0.0.4.386.xxxxRT-AC3100 firmware under 3.0.0.4.386.xxxxRT-AC86U firmware under 3.0.0.4.386.xxxxRT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxxRT-AC66U_B1 firmware under 3.0.0.4.386.xxxxRT-AC3200 firmware under 3.0.0.4.386.xxxxRT-AC2900 firmware under 3.0.0.4.386.xxxxRT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxxRT-AC87U (EOL)RT-AC66U (EOL) (also affected by VPNFilter)RT-AC56U (EOL)

The ASUS security advisory (opens in new tab) says that “If you have already installed the latest firmware version, please disregard this notice.” However, since Trend Micro found evidence that Cyclops Blink has been quietly infecting devices “since at least June 2019,” it wouldn’t hurt to factory-reset your router regardless. Here are ASUS’ instructions, with some clarifications from us:

Asus Wi Fi routers attacked by Russian military hackers   what to do now - 91Asus Wi Fi routers attacked by Russian military hackers   what to do now - 39Asus Wi Fi routers attacked by Russian military hackers   what to do now - 74Asus Wi Fi routers attacked by Russian military hackers   what to do now - 90Asus Wi Fi routers attacked by Russian military hackers   what to do now - 43Asus Wi Fi routers attacked by Russian military hackers   what to do now - 13Asus Wi Fi routers attacked by Russian military hackers   what to do now - 59