Russian Military Botnet Dismantled

Uploaded on 2024-03-06 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-Russia, GOVERNMENT-Defence, FREE TO VIEW

The Department of Justice claims ist has disrupted a botnet controlled by the Russian state-sponsored hacking group Forest Blizzard, also known as Fancy BearThe Russian hackers' targets include US and foreign governments, military entities, and security and corporate organisations.

The FBI operation copied and deleted stolen files and other data from the compromised routers and, working with local Internet service providers, the FBI then informed  the owners and operators of the routers. 

The FBI operation took down a botnet of Small Office/Home Office (SOHO) routers, which has been used by Russia's Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic and to target the United States and its allies in spearphishing and credential theft attacks. This network of hundreds of Ubiquiti Edge OS routers infected with Moobot malware was controlled by GRU Military Unit 26165, also tracked as APT28, Fancy Bear, Forest Blizzard and Sednit.

The US Justice Department said this botnet was built by cyber criminals using the known ‘Moobot’ malware and later commandeered by the Russian APT group.

“Non-GRU cyber criminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the agency said.

The operation also disabled remote access to the devices, which were used by individuals and small offices across the US Users can regain normal access to the devices through factory resets.

Muhammad Yahya Patel, lead security engineer at Check Point Software, commented : "It’s good to see that the FBI has taken this action. However, it underscores crucial lessons for our cybersecurity posture. Routers and internet-facing devices must proactively block access to known malicious domains, with real-time threat intelligence for dynamic updates as new threats emerge."

“For sensitive offices, additional authentication measures are vital. The persistence of such threats raises questions about the efficacy of our defences and shows the need for constant vigilance... Remote access should be fortified with strict controls. These measures constitute basic cyber hygiene, expected and enforced across government, military, and corporate sectors." Patel said.

Cyber criminals not linked with the Russian Military Intelligence infiltrated Ubiquiti Edge OS routers and deployed the Moobot malware, targeting Internet-exposed devices with widely known default administrator passwords. Subsequently, the GRU hackers leveraged the Moobot malware to deploy their own custom malicious tools, effectively repurposing the botnet into a cyber espionage tool with global reach.

The FBI has discovered a wide range of APT28 tools and artifacts, from Python scripts for harvesting webmail credentials and programs for stealing NTLMv2 digests to custom routing rules that redirected phishing traffic to dedicated attack infrastructure.

This operation serves to reinforce the need to implement robust password policies, alongside strict user access control to enforce the principle of least privilege. Continuous security monitoring of internet-facing devices is vital to detect and defeat covert  activities.

Bleeping Computer     |     Cybersecurity Drive     |     U.S. Department of Justice     |     Checkpoint     

New York Times     |     Security Week

Image: Unsplash

You Might Also Read:

Lockbit's Website Taken Down By Law Enforcement:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Email Attacks Doubled In 2023
Threat Intelligence Exposes The Extent of Cyber Attacks »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Gigasoft

Gigasoft

Gigasoft provide secure online data backup & cloud backup services for the education sector and businesses.

CamCERT

CamCERT

CamCERT is the national Computer Emergency Response Team for Cambodia.

Internet Storm Center (ISC)

Internet Storm Center (ISC)

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with ISPs to fight back against the most malicious attackers.

Optiv

Optiv

Optiv is a market-leading provider of end-to-end cyber security solutions. We help clients plan, build and run successful cyber security programs that achieve business objectives.

adaware

adaware

adaware is an award-winning security and privacy software provider, empowering users to connect with confidence.

Pixalate

Pixalate

Pixalate is an omni-channel fraud intelligence company that works with brands and platforms to prevent invalid traffic and improve ad inventory quality.

Cofrac

Cofrac

Cofrac is the national accreditation body for France. The directory of members provides details of organisations offering certification services for ISO 27001.

White Bullet

White Bullet

White Bullet’s risk profiling AI detects, dynamically scores and flags unsafe domains, apps and advertising.

Infosec Global

Infosec Global

Infosec Global provides technology innovation, thought leadership and expertise in cryptographic life-cycle management.

SAIFE

SAIFE

SAIFE has adapted a Software Defined Perimeter approach and paired it with a Zero Trust model that defines access by the user, their device, and where they are located.

BATM Advanced Communications

BATM Advanced Communications

BATM Advanced Communications is a leading provider of real-time technologies for networking and cyber security solutions.

Eficens Systems

Eficens Systems

Eficens Systems is a global IT services and consulting company. We specialize in empowering businesses to harness the potential of Information Technology as a strategic asset.

Saidot

Saidot

Saidot is a Finnish AI governance and alignment company committed to helping businesses safely and transparently integrate AI into their operations.

2021.AI

2021.AI

2021.AI serves the growing business need for full oversight and management of applied AI.

ESProfiler

ESProfiler

Enterprise Security Profiler. Empowering CISOs with clarity & confidence in their security programme by visualising capabilities, usage and spend against their key threat priorities.

Teal Technology Consulting

Teal Technology Consulting

TEAL Technology Consulting is your trusted advisor for all your information security needs.