Russian Military Botnet Dismantled

Uploaded on 2024-03-06 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-Russia, GOVERNMENT-Defence, FREE TO VIEW

The Department of Justice claims ist has disrupted a botnet controlled by the Russian state-sponsored hacking group Forest Blizzard, also known as Fancy BearThe Russian hackers' targets include US and foreign governments, military entities, and security and corporate organisations.

The FBI operation copied and deleted stolen files and other data from the compromised routers and, working with local Internet service providers, the FBI then informed  the owners and operators of the routers. 

The FBI operation took down a botnet of Small Office/Home Office (SOHO) routers, which has been used by Russia's Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic and to target the United States and its allies in spearphishing and credential theft attacks. This network of hundreds of Ubiquiti Edge OS routers infected with Moobot malware was controlled by GRU Military Unit 26165, also tracked as APT28, Fancy Bear, Forest Blizzard and Sednit.

The US Justice Department said this botnet was built by cyber criminals using the known ‘Moobot’ malware and later commandeered by the Russian APT group.

“Non-GRU cyber criminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the agency said.

The operation also disabled remote access to the devices, which were used by individuals and small offices across the US Users can regain normal access to the devices through factory resets.

Muhammad Yahya Patel, lead security engineer at Check Point Software, commented : "It’s good to see that the FBI has taken this action. However, it underscores crucial lessons for our cybersecurity posture. Routers and internet-facing devices must proactively block access to known malicious domains, with real-time threat intelligence for dynamic updates as new threats emerge."

“For sensitive offices, additional authentication measures are vital. The persistence of such threats raises questions about the efficacy of our defences and shows the need for constant vigilance... Remote access should be fortified with strict controls. These measures constitute basic cyber hygiene, expected and enforced across government, military, and corporate sectors." Patel said.

Cyber criminals not linked with the Russian Military Intelligence infiltrated Ubiquiti Edge OS routers and deployed the Moobot malware, targeting Internet-exposed devices with widely known default administrator passwords. Subsequently, the GRU hackers leveraged the Moobot malware to deploy their own custom malicious tools, effectively repurposing the botnet into a cyber espionage tool with global reach.

The FBI has discovered a wide range of APT28 tools and artifacts, from Python scripts for harvesting webmail credentials and programs for stealing NTLMv2 digests to custom routing rules that redirected phishing traffic to dedicated attack infrastructure.

This operation serves to reinforce the need to implement robust password policies, alongside strict user access control to enforce the principle of least privilege. Continuous security monitoring of internet-facing devices is vital to detect and defeat covert  activities.

Bleeping Computer     |     Cybersecurity Drive     |     U.S. Department of Justice     |     Checkpoint     

New York Times     |     Security Week

Image: Unsplash

You Might Also Read:

Lockbit's Website Taken Down By Law Enforcement:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Email Attacks Doubled In 2023
Threat Intelligence Exposes The Extent of Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Phoenix TS

Phoenix TS

Phoenix TS offers world-class management, computer, and IT security certification training courses.

InteliSecure

InteliSecure

InteliSecure offer Professional Services, Security Assessments and Managed Services for data and threat protection.

X-act Forensics

X-act Forensics

X-act forensics are computer forensic experts with experience in cases of computer fraud, intellectual property theft, and social networking cases.

Bit4id

Bit4id

Bit4id provides software and systems for security and identification based on PKI technology.

Averon

Averon

Averon's technology is the new gold standard for digital identity - the easiest, fastest and most secure verification solution for users on both WiFi and LTE.

Codified Security

Codified Security

Codified is a testing platform for mobile application software. We make it easier than ever for companies to detect and fix security vulnerabilities and ensure their applications are compliant.

CloudMask

CloudMask

CloudMask patent technology provides Dynamic Data Masking (DDM) that masks sensitive data, structured or non-structured, in real-time.

Cyscale

Cyscale

Cyscale automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Swiss Accreditation Service (SAS)

Swiss Accreditation Service (SAS)

SAS is the national accreditation body for Switzerland. The directory of members provides details of organisations offering certification services for ISO 27001.

Trusona

Trusona

Trusona is a pioneer and leader in passwordless two-factor authentication (2FA).

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic's main goal is toward establishing an international reference centre for excellence in the field of digital forensics and data recovery services.

Montreal International

Montreal International

You’re an entrepreneur planning to launch a company in an innovative sector such as AI, cybersecurity, 'deeptech' or fintech? You’ve found the right place!

Defendify

Defendify

We built Defendify to help small businesses navigate the cybersecurity landscape with cybersecurity that is dead simple, affordable, and works around the clock.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Luxembourg House of Financial Technology (LHoFT)

Luxembourg House of Financial Technology (LHoFT)

Offering start-up incubation, co-working spaces including a soft-landing platform, the LHoFT connects and creates value for the entire Luxembourg FinTech ecosystem.

Fullstack Academy

Fullstack Academy

A trailblazer in bootcamp education, Fullstack Academy prepares students for fulfilling careers in tech through our NYC campus, online learning, and university partnerships.