The US government has neutralized another small office/home office (SOHO) router botnet being used by Russian cyberspies in malware campaigns.
According to a notice from the Department of Justice, a court-authorized operation disrupted a network of hundreds of Ubiquiti Edge OS routers under the control of the notorious APT28 group.
The group, also known as Forest Blizzard/Sofacy/Fancy Bear, is connected to the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) and was caught using the hijacked routers as a “global espionage platform.”
The Justice Department said this botnet was built by cybercriminals using the known ‘Moobot’ malware and later commandeered by the Russian APT group.
“Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the agency said.
WIth a court order, US law enforcement said it “leveraged the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.”
“Additionally, in order to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation,” the Justice Department said.
The government said it “extensively tested the operation” on relevant Ubiquiti Edge OS routers and was careful not to impact the routers’ normal functionality or collect legitimate user content information.
The takedown comes less than a month after law enforcement disrupted a different botnet full of end-of-life Cisco and Netgear routers after researchers warned it was being used by Chinese state-backed hackers as a covert communications channel.
Related: US Gov Disrupts Router Botnet Used by Chinese APT
Related: Chinese APT Volt Typhoon Linked to SOHO Router Botnet
Related: Mandiant Raises Alarm for ‘Volt Typhoon’ Hacking Group