The Department of Justice (DoJ) has disrupted a botnet used by Russian military intelligence for widespread cyber espionage.
The network was made up of hundreds of individual small office/home office (SOHO) routers that Russian Military Unit 26165 (better known as Fantasy bear, APT 28, Sofacy Group, Forest Blizzard, Pawn Storm and Sednit) was used to launch cyber crimes, including spear-phishing, credential harvesting and more, according to the DoJ.
And unlike other custom-code networks typically used by cybercriminals affiliated with the Russian state, this one was built on top of existing malware, called Moobot, linked to other known cybercriminals, the Justice Department said in its declaration
.
“Non-GRU cybercriminals installed Moobot malware on Ubiquiti Edge OS routers that were still using publicly known default administrator passwords,” the DoJ explained. “The GRU hackers then used the Moobot malware to install their own custom scripts and files that repurposed the botnet, turning it into a global espionage platform.”
According to the DoJ, US law enforcement was able to use the Moobot malware to hack into compromised routers, copy and delete stolen data, remove malicious files, regain full control of the device, and block any remote access.
The US government said that the affected Ubiquiti US Edge OS routers have been disconnected from Moobot networks and that any changes made to the devices are temporary. The DoJ urges users to complete a factory reset on affected routers and update default administrator passwords.
Value in slowing down espionage efforts
Deputy Attorney General Lisa Monaco noted that this is the second time in two months that the DoJ has disrupted a state-sponsored botnet. Jeff Hultquist, chief analyst at Mandiant Intelligence-Google Cloud, said that while this operation alone is unlikely to have a significant impact on Russian cyber espionage operations, there is value in slowing efforts with these disruptions.
“These actions are no panacea and this actor will soon be back with a new plan, but as the election approaches, there has never been a better time to add friction to GRU operations,” Hultquist explained in a statement. “The hacking and leak operations they have carried out may be the most effective cyber attack on the election we have seen, and we have no reason to believe they will not repeat this tactic once again.”