The botnet used by Russian military intelligence for widespread cyber espionage was disrupted by the Department of Justice (DoJ). The network consisted of hundreds of individual small office/home office (SOHO) routers that the Russian Military Unit 26165, also known as Fancy Bear, APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, and Sednit, used to launch cybercrimes like spear-phishing and credential harvesting, according to the DoJ.
It was reported that this botnet was built on existing malware called Moobot, which is linked to other known cybercriminal actors and different from other custom-code networks typically used by Russian state-affiliated threat actors. Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords, and then GRU hackers used the malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global espionage platform.
US law enforcement used the Moobot malware to hack into compromised routers, copy and delete stolen data, remove malicious files, regain full device control, and block any remote access. The affected Ubiquiti US Edge OS routers were then disconnected from the Moobot networks, and any changes made to devices were reported to be temporary. The DoJ urged users to complete a factory reset on affected routers and update the default administrator passwords.
According to Deputy Attorney General Lisa Monaco, this is the second time in two months the DoJ has disrupted a state-sponsored botnet. Jeff Hultquist, chief analyst with Mandiant Intelligence-Google Cloud, stated that while this operation alone is unlikely to have a significant impact on Russian cyber-espionage operations, there is value in slowing their efforts with these disruptions. He mentioned that these actions aren’t a panacea and that the actor would be back with a new scheme soon, but added that as elections loom, it’s never been a better time to add friction to GRU operations. The hack and leak operations they have carried out may be the most effective cyberattack on elections witnessed, and there is no reason to believe they won’t replay this tactic again.
In conclusion, the recent disruption of the botnet used by Russian military intelligence represents a significant achievement for US law enforcement and the DoJ in fighting against cyber espionage. The use of existing malware and compromised routers to create a global espionage platform highlights the importance of cybersecurity and the need for vigilance in securing network infrastructure. While these disruptions may not completely eliminate the threat of state-sponsored cyber-espionage, they do demonstrate a proactive effort to slow down these operations and protect against potential cyber-attacks on critical infrastructure and democratic processes.