Russian Military Botnet Dismantled

The Department of Justice claims ist has disrupted a botnet controlled by the Russian state-sponsored hacking group Forest Blizzard, also known as Fancy BearThe Russian hackers' targets include US and foreign governments, military entities, and security and corporate organisations.

The FBI operation copied and deleted stolen files and other data from the compromised routers and, working with local Internet service providers, the FBI then informed  the owners and operators of the routers. 

The FBI operation took down a botnet of Small Office/Home Office (SOHO) routers, which has been used by Russia's Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic and to target the United States and its allies in spearphishing and credential theft attacks. This network of hundreds of Ubiquiti Edge OS routers infected with Moobot malware was controlled by GRU Military Unit 26165, also tracked as APT28, Fancy Bear, Forest Blizzard and Sednit.

The US Justice Department said this botnet was built by cyber criminals using the known ‘Moobot’ malware and later commandeered by the Russian APT group.

“Non-GRU cyber criminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the agency said.

The operation also disabled remote access to the devices, which were used by individuals and small offices across the US Users can regain normal access to the devices through factory resets.

Muhammad Yahya Patel, lead security engineer at Check Point Software, commented : "It’s good to see that the FBI has taken this action. However, it underscores crucial lessons for our cybersecurity posture. Routers and internet-facing devices must proactively block access to known malicious domains, with real-time threat intelligence for dynamic updates as new threats emerge."

“For sensitive offices, additional authentication measures are vital. The persistence of such threats raises questions about the efficacy of our defences and shows the need for constant vigilance... Remote access should be fortified with strict controls. These measures constitute basic cyber hygiene, expected and enforced across government, military, and corporate sectors." Patel said.

Cyber criminals not linked with the Russian Military Intelligence infiltrated Ubiquiti Edge OS routers and deployed the Moobot malware, targeting Internet-exposed devices with widely known default administrator passwords. Subsequently, the GRU hackers leveraged the Moobot malware to deploy their own custom malicious tools, effectively repurposing the botnet into a cyber espionage tool with global reach.

The FBI has discovered a wide range of APT28 tools and artifacts, from Python scripts for harvesting webmail credentials and programs for stealing NTLMv2 digests to custom routing rules that redirected phishing traffic to dedicated attack infrastructure.

This operation serves to reinforce the need to implement robust password policies, alongside strict user access control to enforce the principle of least privilege. Continuous security monitoring of internet-facing devices is vital to detect and defeat covert  activities.

Bleeping Computer     |     Cybersecurity Drive     |     U.S. Department of Justice     |     Checkpoint     

New York Times     |     Security Week

Image: Unsplash

You Might Also Read:

Lockbit's Website Taken Down By Law Enforcement:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Email Attacks Doubled In 2023
Threat Intelligence Exposes The Extent of Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

I-Tracing

I-Tracing

I-TRACING are experts in IT security, specialized in legal compliance of information systems, security of information systems, and the collection of digital evidence and traces.

International Computer Science Institute (ICSI)

International Computer Science Institute (ICSI)

ICSI is a leading independent, nonprofit center for research in computer science. Research areas include network security and privacy.

Aviva

Aviva

Aviva provides Cyber Liability cover for small to mid-market customers to help combat the threat of data and privacy breach.

Cybint Solutions

Cybint Solutions

Cybint provides customized cyber education and training solutions for Higher Education, Companies and Government.

Fujitsu

Fujitsu

Fujitsu is the leading Japanese global information and communication technology company, offering a full range of products, solutions and services including Managed IT Services and Cyber Security.

LEADS

LEADS

LEADS is considered as a leading ICT Solution Provider and an IT partner of choice in Bangladesh.

SmartContractAudits.com

SmartContractAudits.com

SmartContractAudits.com is the leading platform for finding companies providing smart contract auditing services.

Deepwatch

Deepwatch

deepwatch’s cloud SecOps platform and relentless customer focus are redefining the managed security services industry.

SAIFE

SAIFE

SAIFE has adapted a Software Defined Perimeter approach and paired it with a Zero Trust model that defines access by the user, their device, and where they are located.

Etonwood

Etonwood

Etonwood specialises in infrastructure and vendor technology recruitment in areas including cloud platforms, cyber security and service management.

Nemstar

Nemstar

Nemstar is a specialist in Information Security & Cyber Training with over 25 years' industry experience.

Prophaze Technologies

Prophaze Technologies

Prophaze enable organizations and SaaS providers to improve their web application cybersecurity and reduce costs through AI automation.

Veza Technologies

Veza Technologies

Veza is the authorization platform for data. Built for hybrid, multi-cloud environments, Veza enables organizations to manage and control who can and should take what action on what data.

Yarix

Yarix

Yarix is the leading company in Var Group’s Digital Security division and one of the most recognised, innovative and authoritative Italian companies in the IT security sector.

Levio

Levio

Levio is a digital native business and technology consulting firm. As a true partner from start to finish, our goal is a long-lasting transformation that’s right for your business model.

Fortress SRM

Fortress SRM

Fortress SRM protects companies from the financial, operational, and emotional trauma of cybercrime by improving the security performance of its people, processes, and technology.