February 17, 2024 at 07:59AM
The FBI dismantled a botnet of SOHO routers used by Russia’s GRU for cyber espionage. This network, controlled by GRU Military Unit 26165, targeted US and foreign governments, military entities, and organizations. The FBI remotely accessed the routers through “Operation Dying Ember” to delete stolen data, disable Moobot malware, and neutralize GRU’s access temporarily. Additionally, the FBI disrupted a Chinese botnet and issued guidance to secure SOHO routers against ongoing attacks. APT28 was linked to previous cyber-attacks.
Key takeaways from the meeting notes:
1. The FBI successfully took down a botnet of small office/home office (SOHO) routers used by Russia’s Main Intelligence Directorate of the General Staff (GRU) for cyber espionage, targeting the United States and its allies.
2. The botnet was controlled by GRU Military Unit 26165, also known as APT28, Fancy Bear, and Sednit.
3. The Moobot malware was used by the GRU, repurposing the botnet and deploying custom malicious tools for cyber espionage with global reach.
4. The FBI conducted a court-authorized operation called “Operation Dying Ember,” remotely accessing compromised routers to delete stolen and malicious data and files, wipe the Moobot malware, and block remote access by the Russian cyberspies.
5. The disruption of the Moobot botnet by the FBI is the second such action in 2024, following the takedown of the KV-botnet used by Chinese Volt Typhoon state hackers in January.
6. APT28 was previously linked to cyber attacks against various government and political entities, leading to sanctions by the Council of the European Union.
Additionally, the meeting discussed guidance issued by CISA and the FBI for SOHO router manufacturers to secure their devices against ongoing attacks, emphasizing the importance of secure configuration defaults and eliminating web management interface flaws during development.