The US Department of Justice claims that it has disrupted a botnet controlled by the Russian state-sponsored hacking group Forest Blizzard, also known as Fancy Bear. The Russian hackers' targets include US and foreign governments, military entities, and security and corporate organizations. The FBI operation copied and deleted stolen files and other data from the compromised routers and, working with local Internet service providers, the FBI then informed the owners and operators of the routers.[1]
The FBI operation took down a botnet of Small Office/Home Office (SOHO) routers, which has been used by Russia's Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic and to target the United States and its allies in spear phishing and credential theft attacks. This network of hundreds of Ubiquiti Edge OS routers infected with Moobot malware was controlled by GRU Military Unit 26165, also tracked as APT28, Fancy Bear, Forest Blizzard and Sednit.
See: https://redskyalliance.org/xindustry/moobot
The US Justice Department said this botnet was built by cyber criminals using the known ‘Moobot’ malware and later commandeered by the Russian APT group. “Non-GRU cyber criminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the agency said. The operation also disabled remote access to the devices, which were used by individuals and small offices across the US Users can regain normal access to the devices through factory resets.
Muhammad Yahya Patel, lead security engineer at Check Point Software, commented, "It’s good to see that the FBI has taken this action. However, it underscores crucial lessons for our cybersecurity posture. Routers and internet-facing devices must proactively block access to known malicious domains, with real-time threat intelligence for dynamic updates as new threats emerge. For sensitive offices, additional authentication measures are vital. The persistence of such threats raises questions about the efficacy of our defenses and shows the need for constant vigilance... Remote access should be fortified with strict controls. These measures constitute basic cyber hygiene, expected and enforced across government, military, and corporate sectors." Patel said.
Cyber criminals not linked with the Russian Military Intelligence infiltrated Ubiquiti Edge OS routers and deployed the Moobot malware, targeting Internet-exposed devices with widely known default administrator passwords. Subsequently, the GRU hackers leveraged the Moobot malware to deploy their own custom malicious tools, effectively repurposing the botnet into a cyber espionage tool with global reach.
The FBI has discovered a wide range of APT28 tools and artifacts, from Python scripts for harvesting webmail credentials and programs for stealing NTLMv2 digests to custom routing rules that redirected phishing traffic to dedicated attack infrastructure. This operation serves to reinforce the need to implement robust password policies, alongside strict user access control to enforce the principle of least privilege. Continuous security monitoring of internet-facing devices is vital to detect and defeat covert activities.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.cybersecurityintelligence.com/blog/russian-military-botnet-dismantled-7482.html
Comments