May 3, 2024 at 09:10AM
Trend Micro reports that the APT28 cyberespionage group, linked to Russia, used a botnet of Ubiquiti routers for espionage. The FBI dismantled the botnet in January 2024, but Trend Micro found remnants and expanded botnet details. APT28 used infected devices for various illicit activities, including proxying stolen credentials and cryptocurrency mining.
Key takeaways from the meeting notes are as follows:
– A botnet of hijacked Ubiquiti routers used by Russia-linked APT28 for global espionage operations was dismantled by the US in January 2024, but the cleanup operation failed to fully cut the Russian hackers’ access to the infected devices due to additional malware and legal constraints.
– The botnet, which became operational in 2016, consists of not only Ubiquiti routers but also Raspberry Pi and other Linux devices. Over 350 compromised datacenter VPS IP addresses were still part of the botnet post-disruption.
– In addition to APT28, at least two other threat actors, including the infamous Canadian Pharmacy gang, were found to abuse the infected devices for malicious purposes.
– Malicious activities observed on the hijacked Ubiquiti routers include SSH brute forcing, pharmaceutical spam, NTLMv2 hash relay attacks, phishing site credential proxying, cryptocurrency mining, and spear phishing emails.
– Anonymization tools such as commercial VPN services and commercially available residential proxy networks were used by cybercriminals and APT groups to blend their malicious activities with benign traffic.
These takeaways provide a comprehensive understanding of the APT28’s activities and the impact of the dismantling of the botnet, as well as the involvement of other threat actors in the exploitation of the hijacked devices.