The Justice Department announced today that it has successfully conducted a court-authorized operation to neutralize a botnet controlled by the Russian Federation's Main Intelligence Directorate of the General Staff (GRU). The operation targeted a network of small office/home office (SOHO) routers that were used by the GRU to carry out various cybercrimes, including spearphishing and credential harvesting campaigns against U.S. and foreign governments, military organizations, and corporate entities.
The botnet, which was operated by GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, was distinct from previous GRU and Russian Federal Security Service (FSB) malware networks that have been disrupted by the Justice Department. Unlike those networks, the GRU did not create this botnet from scratch. Instead, they relied on the "Moobot" malware, which had been installed on Ubiquiti Edge OS routers by non-GRU cybercriminals using publicly known default administrator passwords. The GRU then used the Moobot malware to repurpose the botnet for their own cyber espionage activities.
The court-authorized operation conducted by the Justice Department leveraged the Moobot malware to copy and delete stolen and malicious data and files from the compromised routers. It also modified the routers' firewall rules to block remote management access and collected non-content routing information to expose any attempts by the GRU to thwart the operation.
Attorney General Merrick B. Garland stated, "The Justice Department is accelerating our efforts to disrupt the Russian government's cyber campaigns against the United States and our allies, including Ukraine. In this case, Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme. We will continue to disrupt and dismantle the Russian government's malicious cyber tools that endanger the security of the United States and our allies."
Deputy Attorney General Lisa Monaco added, "For the second time in two months, we've disrupted state-sponsored hackers from launching cyber-attacks behind the cover of compromised U.S. routers. We will continue to leverage all of our legal authorities to prevent harm and protect the public — whether the hackers are from Russia, China, or another global threat."
FBI Director Christopher Wray emphasized the FBI's commitment to protecting the American people and their allies from cyber threats, stating, "Russia's GRU continues to maliciously target the United States through their botnet campaigns. The FBI utilized its technical capabilities to disrupt Russia's access to hundreds of routers belonging to individuals in addition to small and home offices. This type of criminal behavior is simply unacceptable, and the FBI, in coordination with our federal and international partners, will not allow for any of Russia's services to negatively impact the American people and our allies."
This operation marks the third time since Russia's invasion of Ukraine that the Justice Department has dismantled a key tool used by Russian intelligence services to further their malicious activities. U.S. Attorney Jacqueline C. Romero for the Eastern District of Pennsylvania stated, "As long as our nation-state adversaries continue to threaten U.S. national security in this way, we and our partners will use every tool available to disrupt their cyber thugs — whomever and wherever they are."
The FBI led the international effort to remediate over a thousand compromised routers through Operation Dying Ember. Special Agent in Charge Jodi Cohen of the FBI Boston Field Office explained, "This operation should make it crystal clear to our adversaries that we will not allow anyone to exploit our technology and networks."
The Justice Department has urged router owners to take immediate action to protect themselves. The recommended remediation steps include performing a hardware factory reset, upgrading to the latest firmware version, changing default usernames and passwords, and implementing strategic firewall rules. The FBI advises router owners to avoid exposing their devices to the internet until default passwords have been changed.
This successful operation demonstrates the continued efforts of the Justice Department and its partners to disrupt and dismantle cyber threats from state-sponsored actors. The collaboration between law enforcement agencies and private sector partners will play a crucial role in safeguarding the security of the United States and its allies in the face of evolving cyber threats.