The FBI took down a botnet of small office/home office (SOHO) routers used by Russia’s Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic and to target the United States and its allies in spearphishing and credential theft attacks.
This network of hundreds of Ubiquiti Edge OS routers infected with Moobot malware was controlled by GRU Military Unit 26165, also tracked as APT28, Fancy Bear, and Sednit.
The Russian hackers’ targets include U.S. and foreign governments, military entities, and security and corporate organizations.
“This botnet was distinct from prior GRU and Russian Federal Security Service (FSB) malware networks disrupted by the Department in that the GRU did not create it from scratch. Instead, the GRU relied on the ‘Moobot’ malware, which is associated with a known criminal group,” the Justice Department said.
Cybercriminals not linked with the GRU (Russian Military Intelligence) first infiltrated Ubiquiti Edge OS routers and deployed the Moobot malware, targeting Internet-exposed devices with widely known default administrator passwords.
Subsequently, the GRU hackers leveraged the Moobot malware to deploy their own custom malicious tools, effectively repurposing the botnet into a cyber espionage tool with global reach.
On compromised routers, the FBI discovered a wide range of APT28 tools and artifacts, from Python scripts for harvesting webmail credentials and programs for stealing NTLMv2 digests to custom routing rules that redirected phishing traffic to dedicated attack infrastructure.
FBI wipes malware and blocks remote access
As part of court-authorized “Operation Dying Ember,” FBI agents remotely accessed the compromised routers and used the Moobot malware itself to delete stolen and malicious data and files.
Next, they deleted the Moobot malware and blocked remote access that would’ve otherwise allowed the Russian cyberspies to reinfect the devices.
“Additionally, in order to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation,” the Justice Department said.
Besides thwarting GRU’s access to the routers, the operation did not disrupt the devices’ standard…
Click Here to Read the Full Original Article at BleepingComputer…