February 15, 2024 at 01:07PM
The FBI dismantled a botnet of SOHO routers used by Russia’s GRU for cyberattacks on the US and allies. GRU repurposed the botnet using Moobot malware, possibly originating from cybercriminals. FBI remotely accessed and wiped the malware, blocking GRU access. APT28, known for previous cyber-attacks, was identified. This marks the second botnet takedown in 2024.
Based on the meeting notes, here are the key takeaways:
1. The FBI has taken down a botnet of small office/home office (SOHO) routers used by Russia’s Main Intelligence Directorate of the General Staff (GRU) in spearphishing and credential theft attacks targeting the United States and its allies.
2. The botnet consisted of Ubiquiti Edge OS routers infected with Moobot malware controlled by GRU Military Unit 26165, also known as APT28, Fancy Bear, and Sednit.
3. The GRU repurposed the existing Moobot malware deployed by cybercriminals to create a cyber espionage tool with global reach.
4. The FBI conducted a court-authorized operation to remotely access the compromised routers, wipe the malware, block remote access, and temporarily modify the routers’ firewall rules to thwart GRU’s access.
5. The operation did not disrupt the devices’ standard functionality or harvest user data, and the actions taken by the FBI are temporary.
6. APT28 has been linked to previous cyber-espionage attacks, including the 2015 hack of the German Federal Parliament and attacks against the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) in 2016.
7. Moobot is the second botnet used by state-sponsored hackers disrupted by the FBI in 2024, following the takedown of the KV-botnet used by Chinese Volt Typhoon state hackers in January.
This information highlights the significant actions taken by the FBI to neutralize the threat posed by the GRU-controlled botnet and the ongoing efforts to address security vulnerabilities in SOHO routers.