February 16, 2024 at 02:03AM
The U.S. government disrupted a botnet using SOHO routers linked to APT28 for cyber-espionage against U.S. and foreign targets. The botnet, dubbed MooBot, allowed threat actors to harvest credentials and conceal their location. The operation, known as Dying Ember, involved deleting stolen data and modifying firewall rules to block access. The FBI detected infected Ubiquiti routers in almost every U.S. state.
Key takeaways from the meeting notes:
– The U.S. government has disrupted a botnet, known as MooBot, composed of small office and home office routers in the country. This botnet was used by the Russia-linked APT28 hacking group to conceal their malicious activities, including spear-phishing and credential harvesting campaigns against targets of intelligence interest to the Russian government.
– APT28 is associated with Unit 26165 of Russia’s Main Directorate of the General Staff (GRU) and has been active since at least 2007 under various monikers.
– The attackers exploited vulnerable Ubiquiti routers using default credentials, implanting SSH malware to achieve persistent remote access to the devices.
– The botnet enabled the threat actors to mask their true location, harvest credentials, and manipulate routers for various malicious activities.
– The U.S. Federal Bureau of Investigation (FBI) filed a redacted affidavit detailing the exploitation and misuse of the MooBot malware to conduct global cyber espionage activities.
– The U.S. government, through a court-authorized operation called Dying Ember, has taken steps to disrupt the botnet and prevent further criminal activities, including copying stolen data and malicious files before deletion and modifying firewall rules to block APT28’s remote access to the routers.
– The extent of the compromised devices in the U.S. has been censored, and infected Ubiquiti devices have been detected in “almost every state.”
Overall, the meeting notes highlight the significant efforts taken by the U.S. government to counter cyber threats and disrupt malicious activities linked to state-sponsored hacking campaigns.