The FBI took down a botnet of small office/home office routers used by Russia's Main Intelligence Directorate of the General Staff in spearphishing and credential theft attacks targeting the United States and its allies.
This network of hundreds of Ubiquiti Edge OS routers infected with Moobot malware was controlled by GRU Military Unit 26165, also tracked as APT28, Fancy Bear, and Sednit.
The Russian hackers' targets include U.S. and foreign governments, military entities, and security and corporate organizations.
Cybercriminals not linked with the GRU first infiltrated Ubiquiti Edge OS routers and deployed the Moobot malware, targeting Internet-exposed devices with widely known default administrator passwords.
Subsequently, the GRU hackers leveraged the Moobot malware to deploy their own custom malicious tools, effectively repurposing the botnet into a cyber espionage tool with global reach.
During a court-authorized operation, FBI agents remotely accessed the compromised routers and used the Moobot malware itself to delete stolen and malicious data and files.
Next, they deleted the Moobot malware and blocked remote access that would've otherwise allowed the Russian cyberspies to reinfect the devices.
Besides thwarting GRU's access to the routers, the operation did not disrupt the devices' standard functionality or harvest user data.
The court-sanctioned actions that severed the routers' link to the Moobot botnet are only temporary.
Users can reverse the FBI's firewall rules by factory resetting their routers or accessing them through the local networks.
Factory resetting the devices without changing the default admin password will expose them to reinfection.
The APT28 cyber-espionage group was previously linked to the 2015 hack of the German Federal Parliament.
The Council of the European Union also sanctioned multiple APT28 members in October 2020 for their involvement in the 2015 German Federal Parliament hack.
Moobot is the second botnet used by state-sponsored hackers to evade detection disrupted by the FBI in 2024 after the takedown of the KV-botnet used by Chinese Volt Typhoon state hackers in January.
CISA and the FBI also issued guidance for SOHO router manufacturers, urging them to secure their devices against ongoing attacks with the help of secure configuration defaults and eliminating web management interface flaws during development.
Russian military hackers target Ukraine with new MASEPIE malware.
Turla hackers backdoor NGOs with new TinyTurla-NG malware.
FBI seizes Warzone RAT infrastructure, arrests malware vendor.
FBI disrupts Chinese botnet by wiping malware from infected routers.
Chinese hackers infect Dutch military network with malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 15 Feb 2024 18:05:14 +0000