U.S. authorities disrupt Russian intelligence’s botnet
In January 2024, an operation dismantled a network of hundreds of SOHO routers controlled by GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit. This network facilitated various crimes, including extensive spearphishing and credential harvesting against entities of interest to the Russian government, such as U.S. and foreign governments, military, and key security and corporate sectors.
This botnet was distinct from prior GRU and Russian Federal Security Service (FSB) malware networks disrupted by the Department in that the GRU did not create it from scratch. Instead, the GRU relied on the “Moobot” malware associated with a known criminal group.
Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.
The Department’s court-authorized operation leveraged the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. Additionally, to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.
“Russia’s GRU continues to maliciously target the United States through their botnet campaigns,” said FBI Director Christopher Wray. “The FBI utilized its technical capabilities to disrupt Russia’s access to hundreds of routers belonging to individuals in addition to small and home offices. This type of criminal behavior is simply unacceptable, and the FBI, in coordination with our federal and international partners, will not allow for any of Russia’s services to negatively impact the American people and our allies.”
“In this unique, two-for-one operation, the National Security Division and its partners disrupted a botnet used by both criminal and state-sponsored actors,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “Notably, this represents the third time since Russia’s unjustified invasion of Ukraine that the Department has stripped the Russian intelligence services of a key tool used to further the Kremlin’s acts of aggression and other malicious activities. We will continue to use our legal authorities and cutting-edge techniques, and to draw on the strength of our partnerships, to protect the public and our allies from such threats.”
“This is yet another case of Russian military intelligence weaponizing common devices and technologies for that government’s malicious aims,” said U.S. Attorney Jacqueline C. Romero for the Eastern District of Pennsylvania. “As long as our nation-state adversaries continue to threaten U.S. national security in this way, we and our partners will use every tool available to disrupt their cyber thugs — whomever and wherever they are.”
As described in court documents, the government extensively tested the operation on the relevant Ubiquiti Edge OS routers. Other than stymieing the GRU’s ability to access the routers, the operation did not impact the routers’ normal functionality or collect legitimate user content information. Additionally, the court-authorized steps to disconnect the routers from the Moobot network are temporary; users can roll back the firewall rule changes by undertaking factory resets of their routers or by accessing their routers through their local network (e.g., via the routers’ web-based user interface). However, a factory reset not accompanied by a change of the default administrator password will return the router to its default administrator credentials, leaving the router open to reinfection or similar compromises.
The FBI recently disrupted a Chinese botnet for targeting US critical infrastructure.