DOJ, FBI disrupt Russian intelligence botnet
U.S. authorities took down a network of hundreds of compromised small office and home office routers being used by Russian military intelligence to carry out global cyber espionage campaigns, the Federal Bureau of Investigation and Department of Justice announced Thursday.
Speaking at the Munich Cyber Security Conference on Thursday, FBI Director Christoper Wray said the operation aimed to “kick the Russian GRU off” a large network of compromised routers “and lock the door behind them, killing the GRU’s access to a botnet it was piggybacking to run cyber operations against countries around the world, including America and its allies in Europe.”
The operation, approved by a U.S. court in January, dismantled a botnet used by GRU Military Unit 26165 that targeted Ubiquiti Edge OS routers that were still using publicly known default administration passwords, the DOJ said in its announcement.
The hackers targeted the routers with the Moobot malware to install their own bespoke scripts and files that “repurposed the botnet, turning it into a global cyber espionage platform,” the agency said. Moobot is a malware based on the Mirai botnet, and was first detailed by Fortinet in December 2021.
The Russian unit was using the botnet against intelligence targets, including U.S. and foreign governments, as well as unnamed military, security and corporate organizations, the DOJ said.
The takedown is the second U.S. government disruption of state-backed botnets in the last two months. In January, the DOJ announced the takedown of a botnet used as part of a Chinese-sponsored operation tracked as Volt Typhoon to target U.S. critical infrastructure targets as part of what the U.S. government says is pre-positioning for action in the event of military conflict.
Similar FBI operations in recent years have targeted other Russian and Chinese cyberespionage tools as part of a more proactive Department of Justice approach to disrupt the digital infrastructure that criminal and espionage groups rely on.
The FBI operation “leveraged” the Moobot malware to copy and delete stolen and malicious data and files from compromised routers, the DOJ statement said. It also modified the routers’ firewall rules to block remote management access to the devices, “and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.”
Palo Alto Networks Unit 42 and the Ukrainian government documented some of the Unit 26165 activity in recent public notices.
Unit 26165, also tracked as APT28, is the same unit behind the hack-and-leak operations targeting the Democratic National Committee, said John Hultquist, the chief analyst at Mandiant Intelligence.
“These actions aren’t a panacea and this actor will be back with a new scheme soon, but as elections loom, it’s never been a better time to add friction to GRU operations,” Hultquist said in a statement. “The hack and leak operations they have carried out may be the most effective cyberattack on elections we’ve witnessed, and we have no reason to believe they won’t replay this tactic again.”
The U.S. government’s targeting of the Ubiquiti Edge OS routers did not impact the devices’ normal functionality or collect “legitimate user content information,” the DOJ said. Also, the steps the FBI took to disconnect the routers from the Moobot botnet are temporary and can be reversed by doing a factory reset of the device.
“However, a factory reset that is not also accompanied by a change of the default administrator password will return the router to its default administrator credentials, leaving the router open to reinfection or similar compromises,” the DOJ said.
