Top security agencies have warned of a new malware that Russian military hackers use to exploit firewalls, compromise networks and infect with malware.

According to the NCSC, CISA, FBI, and NSA, the malware known as “Cyclops Blink” is linked to Sandworm, an offensive hacking operation previously linked to Russia’s GRU.

Cyclops Blink has special capabilities, including the ability to gain persistent remote access to networks, upload and download files from infected machines, and the ability to add new features to malware that have already been executed.

Further clarification shows that Cyclops Blink persists at reboot and during the legitimate firmware update process.

It essentially targets WatchGuard devices that are reconfigured from the manufacturer’s default settings. This is used to open remote management interfaces to external access.

The NCSC recommended that organizations with devices infected with Cyclops Blink change their passwords. Other advice includes avoiding the exposure of management interfaces of network devices to the Internet and updating the devices.