FBI dismantles Russia’s GRU botnet

In January 2024, the FBI conducted an authorised operation to dismantle a botnet consisting of hundreds of small office/home office (SOHO) routers. In a press release, the US Department of Justice (DoJ) shares that this network, controlled by GRU Military Unit 26165, also known as APT28 or Fancy Bear, was used to facilitate various illicit activities, including spearphishing and credential theft targeting the USA and its allies.

The operation uncovered the use of Moobot malware by the GRU, originally deployed by independent cyber criminals through exploiting default passwords on Ubiquiti Edge OS routers. Subsequently, the GRU repurposed the infected routers for their own cyberespionage endeavours, using a range of tools and tactics to target governments, military, security, and corporate organisations worldwide.

In the court-approved ‘Operation Dying Ember,’ FBI agents remotely accessed compromised routers and used the Moobot malware to delete stolen and malicious data. They then removed the malware and prevented further remote access, halting potential reinfection by threat actors. Additionally, the operation adjusted firewall rules on the routers to block remote management access temporarily, preventing malicious interference. Importantly, standard router functionality remained intact, and user data was not harvested. These actions, approved by the court, severed the routers’ connection to the Moobot botnet temporarily while allowing victims to regain control and mitigate the compromise.

‘For the second time in two months, we’ve disrupted state-sponsored hackers from launching cyberattacks behind the cover of compromised US routers,’ said Deputy Attorney General Lisa Monaco. The operation follows the dismantling of a botnet controlled by the Chinese state-linked hacker group Volt Typhoon.