In January 2024, a global cybercrime network of hundreds of SOHO routers was dismantled in an operation targeting GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit. This network was responsible for spearphishing and credential harvesting against entities of interest to the Russian government, such as U.S. and foreign governments, military, and key security and corporate sectors.
The operation, authorized by the Department, targeted the Moobot malware associated with a known criminal group that was installed on Ubiquiti Edge OS routers using publicly known default administrator passwords. Once the non-GRU cybercriminals installed the Moobot malware, GRU hackers then used it to repurpose the botnet, turning it into a global cyber espionage platform.
During the operation, the Department utilized the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. In addition, the operation temporarily modified the routers’ firewall rules to block remote management access to the devices in order to neutralize the GRU’s access to the routers.
FBI Director Christopher Wray expressed concern over Russia’s continued malicious targeting of the United States through its botnet campaigns. The FBI utilized its technical capabilities to disrupt Russia’s access to hundreds of routers belonging to individuals and small and home offices. Wray emphasized that this type of criminal behavior is unacceptable, and the FBI, in coordination with federal and international partners, will not allow Russia’s services to negatively impact the American people and their allies.
Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division emphasized the significance of the operation, noting that it represented the third time since Russia’s unjustified invasion of Ukraine that the Department has stripped the Russian intelligence services of a key tool used to further the Kremlin’s acts of aggression and other malicious activities.
U.S. Attorney Jacqueline C. Romero for the Eastern District of Pennsylvania also condemned the actions of Russian military intelligence, stating that as long as nation-state adversaries continue to threaten U.S. national security in this way, law enforcement and partners will use every tool available to disrupt their cyber activities.
The government extensively tested the operation on the relevant Ubiquiti Edge OS routers and assured that, other than stymieing the GRU’s ability to access the routers, the operation did not impact the routers’ normal functionality or collect legitimate user content information. Additionally, the court-authorized steps to disconnect the routers from the Moobot network were temporary and users could roll back the firewall rule changes by undertaking factory resets of their routers or by accessing their routers through their local network.
In conclusion, the operation successfully dismantled a global cybercrime network controlled by GRU Military Unit 26165. The actions taken by the Department and its partners to disrupt the botnet were necessary to protect the public and allies from the threats posed by such cybercriminal activities. The government has assured that the operation did not have any long-term impact on the functionality of the routers and has provided guidance for users to secure their routers from future compromise.