The FBI dismantled a botnet of several hundred small office/home office (SOHO) routers that U.S. authorities said was used in large credential-harvesting campaigns for Russia’s intelligence service.
The Justice Department said the botnet was under the control of Unit 26165, a military intelligence cyber group that is part of Russia’s General Staff Main Intelligence Directorate (GRU) and is also tracked as APT28, Fancy Bear, Sofacy and Sednit.
The botnet was built by cybercriminals outside the GRU who initially installed Moobot malware on Ubiquiti Edge OS routers that could be compromised because they used publicly known default administrator passwords.
“GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the Justice Department said in a Feb. 15 statement.
APT28 used the botnet to carry out “vast spearphishing and similar credential-harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations,” the statement said.
U.S. authorities cracking down on state-sponsored botnets
The Justice Department obtained court authorization for an operation called Dying Ember where FBI cyber experts copied and deleted stolen and malicious data and files from the compromised routers. The operation also reversibly modified the routers’ firewall rules to block APT28’s remote management access to the devices.
In a similar operation authorities disclosed last month, the FBI took down another SOHO router botnet they said was run by Volt Typhoon, a Chinese state-sponsored threat group intent on disrupting critical infrastructure.
“For the second time in two months, we’ve disrupted state-sponsored hackers from launching cyber-attacks behind the cover of compromised U.S. routers,” said Deputy Attorney General Lisa Monaco.
Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division described Dying Ember as a “unique, two-for-one operation” because it was able to disrupt a botnet used by both criminal and state-sponsored actors.
Roger Grimes, KnowBe4’s data-driven defense evangelist, said it was encouraging that proactive operations against coordinated cyberattacks were becoming more frequent.
“It’s wonderful news anytime some hacker group, especially a nation-state project, is put out of business,” Grimes said.
“Of course, there are always ten thousand other things to attack and compromise, but that takes new work, and anytime you are making your adversary work harder that’s a good day.”
Because Operation Dying Ember took down the botnet remotely, the FBI was working through internet service providers to contact owners of the affected SOHO routers.
To better protect their devices from future attacks, the agency recommended affected owners perform a hardware factory reset of the router, upgrade to the latest firmware, change default usernames and passwords, and implement strategic firewall rules to prevent unwanted remote management.
In the wake of the earlier Volt Typhoon botnet takedown, the Cybersecurity and Infrastructure Security Agency (CISA), prepared together with the FBI, published guidance on security design improvements for SOHO device manufacturers. The guidance urged manufacturers to build security into the design, development, and maintenance of SOHO routers to prevent threat groups from compromising them and using them as a launching pad to attack critical infrastructure.
