Malware & Threats

FBI Dismantles Ubiquiti Router Botnet Controlled by Russian Cyberspies

The US government says it has neutralized a network of hundreds of Ubiquiti Edge OS routers under the control of the Russia’s APT28 hackers.

Published

The US government says it has neutralized a network of hundreds of Ubiquiti Edge OS routers under the control of the Russia's APT28 hackers.

The US government has neutralized another small office/home office (SOHO) router botnet being used by Russian cyberspies in malware campaigns.

According to a notice from the Department of Justice, a court-authorized operation disrupted a network of hundreds of Ubiquiti Edge OS routers under the control of the notorious APT28 group.

The group, also known as Forest Blizzard/Sofacy/Fancy Bear, is connected to the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) and was caught using the hijacked routers as a “global espionage platform.”

The Justice Department said this botnet was built by cybercriminals using the known ‘Moobot’ malware and later commandeered by the Russian APT group. 

“Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the agency said.

WIth a court order, US law enforcement said it “leveraged the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.”

“Additionally, in order to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation,” the Justice Department said.

The government said it “extensively tested the operation” on relevant Ubiquiti Edge OS routers and was careful not to impact the routers’ normal functionality or collect legitimate user content information. 

Advertisement. Scroll to continue reading.

The takedown comes less than a month after law enforcement disrupted a different botnet full of end-of-life Cisco and Netgear routers after researchers warned it was being used by Chinese state-backed hackers as a covert communications channel.

Related: US Gov Disrupts Router Botnet Used by Chinese APT

Related: Chinese APT Volt Typhoon Linked to SOHO Router Botnet 

Related: Mandiant Raises Alarm for ‘Volt Typhoon’ Hacking Group

Related: ‘Moobot’ Botnet Targets Hikvision Devices 

In this article:, , ,

Related Content

Malware & Threats

Russian Cyberspies Deliver ‘GooseEgg’ Malware to Government Organizations 

Russia-linked APT28 deploys the GooseEgg post-exploitation tool against numerous US and European organizations.

April 23, 2024

Network Security

Cisco Warns of Vulnerability in Discontinued Small Business Routers

Cisco says it will not release patches for a cross-site scripting vulnerability impacting end-of-life small business routers.

April 5, 2024

IoT Security

Researchers Discover 40,000-Strong EOL Router, IoT Botnet 

Malware hunters sound an alarm after discovering a 40,000-strong botnet packed with end-of-life routers and IoT devices being used in cybercriminal activities.

March 26, 2024

Cybercrime

FBI: Cybercrime Losses Exceeded $12.5 Billion in 2023

FBI’s IC3 publishes its 2023 Internet Crime Report, which reveals a 10% increase in the number of cybercrime complaints compared to 2022.

March 7, 2024

Malware & Threats

US Government Urges Cleanup of Routers Infected by Russia’s APT28

The US government says Russia’s APT28 group compromised Ubiquiti EdgeRouters to run cyberespionage operations worldwide.

February 28, 2024
Cisco exploited

Nation-State

US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon

The US government neutralizes a botnet full of end-of-life Cisco and Netgear routers being by a notorious Chinese APT group.

January 31, 2024

Ransomware

US Gov Disrupts BlackCat Ransomware Operation; FBI Releases Decryption Tool

The US government announced the disruption of the notorious BlackCat ransomware-as-a-service operation and released a decryption tool to help organizations recover hijacked data.

December 19, 2023

Cyberwarfare

Russian APT Used Zero-Click Outlook Exploit

Russian threat actor APT28 has been exploiting a no-interaction Outlook vulnerability in attacks against 14 countries.

December 8, 2023

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version