Federal law enforcement kicked Russian state hackers off a botnet comprising at least hundreds of home office and small office routers that had been pulled together by a cybercriminal group and co-opted by the state-sponsored spies.
APT28, an high-profile advanced persistent threat group linked to Russia's GRU military intelligence group, used the network of Ubiquiti Edge OS routers to hide its activities as it ran its operations, which included spearphishing and similar attacks against U.S. and foreign governments and military as well as security and corporate organizations in espionage campaigns aimed at harvesting credentials, according to an announcement Thursday by the U.S. Department of Justice.
Federal authorities were not only able to toss APT28 - also known as Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit - from the botnet, but also shut down access to the botnet by both the Russian gang and others that were using it.
Unlike similar operations run by the GRU and Russia's Federal Security Service, the Russian hackers didn't create the botnet themselves.
Instead, they leveraged the botnet by another known cybercriminal group that had installed the malware on the Ubiquiti routers that still were using publicly known default administrator passwords.
Using the Moobot malware, the GRU bad actors installed their own scripts and files, essentially repurposing the botnet and creating a global cyber-espionage platform.
According to the redacted search warrant, APT28 likely found the already compromised Ubiquiti routers it could use by running public internet scans using the specific version number of the OpenSSH-based malware already implanted in them.
Once found, the Russian hackers used the Moobot malware to access those routers.
The GRU spies used the routers to run their spearphishing campaigns, at times sending specifically crafted emails to Microsoft Outlook users and used a previously unknown zero-day vulnerability to transmit victims' login credentials back to the routers.
The devices also were used to house a fake Yahoo landing page used in other campaigns and to store the credentials that were stolen in the scam.
The DOJ and FBI themselves used the Moobot malware to copy and delete stolen and malicious data and files from the infected routers and modified the routers' firewall rules to block anyone from remotely managing the devices.
That said, the steps taken to disconnect the routers from the Moobot network are temporary.
Moobot, a variant of the notorious Mirai botnet malware, was detected in 2021 by researchers with Fortinet's ForiGuard Labs group and has been actively used since.
In September 2022, Palo Alto Networks' Unit 42 group said it found attackers targeting vulnerabilities in D-Link devices, and FortiGuard analysts in March 2023 reported on attacks targeting vulnerabilities in Cacti and Realtek software and spreading the Moobot and ShellBot malware.
More recently, Unit 42 researchers late last year issued a warning about APT28 targeting a vulnerability in Outlook, while a cybersecurity agency within the Ukrainian government said the Russian hackers were running phishing attacks against Ukrainian military personnel.
Last month federal authorities shut down a botnet run by the Chinse state-sponsored threat group Volt Typhoon, which had infected Cisco and NetGear home and small office routers with the KV Botnet malware to create a botnet consisting of hundreds of compromised devices.
Like APT28, Volt Typhoon used the botnet to conceal its identity while it ran cyberespionage campaigns against the United States.
In some instances, the APT group had hidden in networks for as long as five years.
The private sector also is seeing such groups in action.
In joint statement this week, Microsoft and OpenAI said they had disrupted the activities of five state-affiliated groups - including APT28 - that were trying to use OpenAI services in their operations for such tasks as querying open-source information, translating, finding coding errors, and running basic coding tasks.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 15 Feb 2024 21:13:04 +0000