Threat Vector Solutions

Sandworm is Back!

A notorious Russian threat group has reemerged with new malware and new tactics. Known as Sandworm, or Voodoo Bear, this state-backed cyber group—linked to Russia’s military intelligence service (GRU)—has begun deploying a sophisticated modular malware framework called Cyclops Blink, replacing their previously known VPNFilter infrastructure.

This update comes from a joint alert issued by UK NCSC, CISA, NSA, and the FBI, which highlights how Sandworm continues to evolve its capabilities in high-impact ways.

Sandworm’s History of Destruction

If the name Sandworm rings a bell, it’s because their cyberattacks have made headlines for nearly a decade. Some of their most infamous operations include:

  • Taking down parts of Ukraine’s power grid in 2015 using BlackEnergy malware
  • Targeting industrial control systems with Industroyer in 2016
  • Launching NotPetya in 2017, which quickly spread across the globe and caused billions in damage
  • Conducting large-scale DDoS attacks on Georgia in 2019
  • Disrupting the 2018 Winter Olympics and Paralympics, in what many consider a sabotage campaign

This is not a group that launches ransomware for profit—they specialize in chaos.

Cyclops Blink: A Modular Evolution

The newly observed malware framework, Cyclops Blink, has reportedly been in use since at least mid-2019, but is only now becoming widely known due to increased visibility and joint analysis by global cyber agencies.

What makes Cyclops Blink especially concerning is its firmware-level deployment. After compromising a network, Sandworm can install the malware through a malicious firmware update—granting persistence and making detection far more difficult than traditional malware.

Initial infections have focused on WatchGuard firewall devices, particularly those with exposed or improperly secured remote management interfaces. However, the modular nature of Cyclops Blink suggests it could be adapted to other platforms and architectures in future campaigns.

Why This Matters to Defenders

The resurgence of Sandworm with an updated toolkit should serve as a wake-up call to security teams across all industries—not just government or infrastructure.

Here’s what you should consider doing now:

  • Audit and secure edge devices, especially firewalls and VPN appliances
  • Disable remote management features unless strictly necessary, and protect them with strong access controls
  • Monitor firmware integrity, particularly for devices exposed to the internet
  • Stay current with threat intelligence feeds, especially IOCs related to Cyclops Blink
  • Use EDR/XDR solutions (like Defender for Endpoint) to spot lateral movement and post-exploitation behavior

Final Thoughts

Sandworm isn’t just another APT. They’re one of the few threat groups that combine sophisticated tooling with a proven willingness to disrupt real-world infrastructure. Their shift from VPNFilter to Cyclops Blink represents a tactical evolution and a warning: firmware attacks are no longer niche.

Security leaders should pay close attention to this development—not just because of what Sandworm is doing today, but because of what this signals for the future of state-backed cyber operations.

threatvectorsolutions_h9vzxz