Security news that informs and inspires

U.S. Government Disrupts Botnet Used by Russian GRU Hackers

By

The Justice Department on Thursday announced that it has disrupted a botnet operated by Russia's GRU Military Unit 26165, also known as APT28.

The DoJ said that during a January operation it was able to neutralize the malware network made up of hundreds of Ubiquiti Edge OS routers. These small office/home office (SOHO) routers were being leveraged by APT28 in order to enable and hide various spearphishing and credential harvesting attacks launched against U.S. government officials and military, security and enterprise organizations. APT28, also known as Fancy Bear, is associated with Russia’s GRU military intelligence unit and is known for previous destructive malware attacks.

“Russia’s GRU continues to maliciously target the United States through their botnet campaigns,” said FBI Director Christopher Wray in a Thursday statement. “The FBI utilized its technical capabilities to disrupt Russia’s access to hundreds of routers belonging to individuals in addition to small and home offices. This type of criminal behavior is simply unacceptable, and the FBI, in coordination with our federal and international partners, will not allow for any of Russia’s services to negatively impact the American people and our allies.”

While previous Russian-operated malware networks that U.S. law enforcement has disrupted were created from scratch by the GRU, this botnet was unique in that it instead leveraged malware called Moobot, which is associated with a cybercriminal group. The Mirai-based Moobot botnet, first discovered in 2019, is known to target IoT devices and routers typically using vulnerability exploits or brute force attacks via weak default passwords.

“Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords,” according to the DoJ. “GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.”

"This type of criminal behavior is simply unacceptable, and the FBI, in coordination with our federal and international partners, will not allow for any of Russia’s services to negatively impact the American people and our allies.”

The DoJ obtained court authorization to use the Moobot malware to copy and delete stolen data and malicious files from compromised routers, and then neutralize the devices by modifying the routers’ firewall rules in order to block remote management access to the devices. The DoJ said law enforcement also temporarily collected non-content routing data in order to expose the GRU's attempts to thwart the operation.

“As described in court documents, the government extensively tested the operation on the relevant Ubiquiti Edge OS routers,” according to the DoJ. “Other than stymieing the GRU’s ability to access to the routers, the operation did not impact the routers’ normal functionality or collect legitimate user content information. “

The DoJ said that impacted users have the ability to roll back the firewall rule changes by performing factory resets on their routers or through accessing their routers through their local network. However, in addition to the factory reset users should be sure to change the default administrator passwords on the devices, which would block the routers from reinfection.

The operation marks the latest disruption by U.S. law enforcement on malicious cyber operations. They have recently targeted the BlackCat ransomware group in December, a botnet used by a PRC state-sponsored group called Volt Typhoon in January and the Turla’s Snake espionage malware in May 2023.

“With these operations, and many more like them, we’ve set our sights on all the elements that we know from experience make criminal organizations tick: their people—a term we define broadly to include not just ransomware administrators and affiliates, but their facilitators, like bulletproof hosters and money launderers; their infrastructure; their servers, botnets, etc.; and their money, the cryptocurrency wallets they use to stash their ill-gotten gains, hire associates, and lease infrastructure,” said Wray while speaking Thursday at the Munich Security Conference.