The US government on Thursday said it had disrupted a botnet comprising hundreds of small office and home office (SOHO) routers in the country, used by Russia-linked actor APT28 to hide its malicious activities.
“These crimes included extensive spear-phishing and similar credential-harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations,” the Justice Department said of the United States (DoJ) in a note. declaration.
APT28, also tracked under the nicknames BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy and TA422, is believed to be linked to Russia’s Main Directorate Unit 26165 General Staff (GRU). It is known to have been active since at least 2007.
Court documents say the attackers carried out their cyber espionage campaigns by relying on MooBot, a Mirai-based botnet that located routers made by Ubiquiti and co-opted them into a network of devices that can be modified to act as proxies . forward malicious traffic while protecting their actual IP addresses.
The botnet, the DoJ said, allowed threat actors to mask their true location and harvest NT LAN Manager (NTLM) v2 credentials and hashes via custom scripts, as well as hosting spear-phishing landing pages and other custom tools to force passwords. , stealing router users’ passwords and propagating MooBot malware to other devices.
In an affidavit filed by the US Federal Bureau of Investigation (FBI), the agency said MooBot exploits vulnerable, publicly accessible Ubiquiti routers using default credentials and implants SSH malware that allows persistent remote access to the device .
“Non-GRU cybercriminals installed MooBot malware on Ubiquiti Edge OS routers that were still using publicly known default administrator passwords,” the DoJ explained. “The GRU hackers then used the MooBot malware to install their own custom scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.”
The authors of APT28 are suspected to have found and illegally accessed compromised Ubiquiti routers by performing public scans of the Internet using a specific OpenSSH version number as a search parameter and then using MooBot to access those routers.
The spear-phishing campaigns undertaken by the hacking group also exploited a then-zero-day in Outlook (CVE-2023-23397) to steal login credentials and transmit them to routers.
“In another identified campaign, the APT28 authors designed a fake Yahoo! landing page to send the credentials entered on the fake page to a compromised Ubiquiti router for the APT28 authors to harvest at their convenience,” the APT28 authors said. FBI.
As part of efforts to disrupt the botnet in the United States and prevent further crimes, a series of unspecified commands were issued to copy the stolen data and malicious files before deleting them and modify firewall rules to block remote access of APT28 to routers.
The exact number of compromised devices in the United States has been redacted, although the FBI noted that could change. Infected Ubiquiti devices have been detected in “almost every state,” she added.
The court-authorized operation – called Dying Ember – comes just weeks after the US dismantled another state-sponsored hacking campaign from China that exploited a different botnet, code-named KV-botnet, to target facilities critical infrastructure.
Last May, the United States also announced the takedown of a global network compromised by an advanced malware strain called Snake, used by hackers associated with Russia’s Federal Security Service (FSB), otherwise known as Turla.