Connect with us

Hi, what are you looking for?


Malware & Threats

US Government Urges Cleanup of Routers Infected by Russia’s APT28

The US government says Russia’s APT28 group compromised Ubiquiti EdgeRouters to run cyberespionage operations worldwide.

Two weeks after dismantling a botnet of Ubiquiti routers used by a Russian advanced persistent threat (APT) actor to conduct cyberespionage operations worldwide, the US government is urging organizations and consumers to clean up their devices in support of the disruption effort.

According to the US, hundreds of small office/home office (SOHO) routers from Ubiquiti were ensnared into a botnet after cybercriminals infected them with the ‘Moobot’ malware.

Control of the infected Ubiquiti EdgeRouters was then handed over to the Russian cyberespionage group APT28, which is also known as Fancy Bear, Forest Blizzard, Pawn Storm, Sednit, and Sofacy Group, and which is connected to the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU).

APT28, the FBI, NSA, and US CyberCommand note in a joint advisory (PDF), has been abusing compromised EdgeRouters for covert operations since 2022, targeting aerospace, energy, government, manufacturing, oil and gas, technology, and transportation organizations in Europe, the Middle East, and the US.

To access EdgeRouters, APT28 used default credentials and trojanized OpenSSH server processes associated with Moobot, a Mirai-based piece of malware that ensnares internet of things (IoT) devices into a botnet, the joint advisory reads.

The attackers would obtain root access to compromised Ubiquiti EdgeRouters, which enabled them to install various tools and to obfuscate their identity.

“APT28 actors have used compromised EdgeRouters to collect credentials, proxy network traffic, and host spoofed landing pages and custom post-exploitation tools,” the joint advisory reads.

The threat actor was seen exploiting an Outlook zero-day (CVE-2023-23397) to collect NTLMv2 digests from targeted Outlook accounts and deploying custom Python scripts for harvesting and validating the credentials of webmail users.

Advertisement. Scroll to continue reading.

Additionally, APT28 was seen using iptables rules on the compromised routers to establish reverse proxy connections to the group’s infrastructure and uploading their own SSH RSA keys to establish reverse SSH tunnels to the compromised devices.

EdgeRouters, the advisory reveals, were also used as command-and-control (C&C) infrastructure for MasePie, a Python backdoor that supports the execution of arbitrary commands and which is deployed on the victim’s systems, but not on EdgeRouters.

The advisory also provides indicators of compromise (IoCs) that organizations and consumers are encouraged to use when hunting for signs of infection, as well as mitigation recommendations, which include factory resetting devices, upgrading to the latest firmware release, changing default credentials, and implementing firewall rules to prevent exposure of remote management services.

“Owners of relevant devices should take the remedial actions to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises,” the advisory reads.

Related: Russian APT Used Zero-Click Outlook Exploit

Related: Russian Cyberspies Targeting Cloud Infrastructure via Dormant Accounts

Related: Russian Turla Cyberspies Target Polish NGOs With New Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.