U.S. FBI dismantles Russian GRU botnet built on more than 1,000 small business home routers
The US government says it has destroyed a botnet used by Russia’s GRU military intelligence unit to conduct phishing expeditions, espionage, credential collection, and data theft against US and foreign governments and other strategic targets, The Register reports.
The most recent court-ordered seizure took place in January and included the neutralization of “more than a thousand” home and small business routers that were infected with Moobot malware, a variant of Mirai, according to FBI Director Christopher Wray, speaking at the Munich Cybersecurity Conference on Thursday. Moobot can be used to remotely control compromised devices and launch attacks on networks.
Cybercriminals not affiliated with the GRU installed Moobot on Ubiquiti Edge OS routers using publicly known default administrator passwords. The GRU spy team (known as APT 28, Forest Blizzard, and Fancy Bear) then used Moobot to install their own scripts and files that repurposed the botnet, thus “turning it into a global cyberespionage platform,” according to the feds.
“Russian intelligence agencies turned to criminal groups to help them attack home and office routers, but the Department of Justice blocked their scheme,” said U.S. Attorney General Merrick Garland.“We will continue to disrupt and destroy the Russian government’s malicious cyber tools that threaten the security of the United States and our allies.”
The botnet targeted organizations of interest to the Russian government, including the governments of the United States and other countries, as well as military, security, and corporate organizations. In December, Microsoft said that the Fancy Bear team had used two previously patched bugs to launch large-scale phishing campaigns targeting important targets such as government, defense, and aerospace agencies in the United States and Europe, although it did not say whether the botnet was used for these attacks.
Earlier this week, it was reported that Kremlin agents were caught abusing OpenAI models to create phishing emails and malware scripts.
According to U.S. prosecutors, the feds were able to order the Moobot botnet to copy and delete malicious files, including the malware itself, as well as any stolen data on the hacked routers, likely similar to what the Department of Justice did during the recent takedown of the Volt Typhoon KV botnet.
The FBI reported[PDF] that the dismantling of the Moobot network also included modifying router firewall rules to block access to remote control of the devices, preventing further theft, and “allowed for the temporary collection of non-critical routing information that would have exposed GRU attempts to disrupt” the operation.
In other words, Uncle Sam was able to prevent Russia from using the botnet, the source writes, by blocking access to remote control, cleaning malware from routers, and inspecting the Kremlin’s work on infected equipment. Reportedly, all this was done with the consent of the owners of the infected equipment.
Additionally, according to the feds, users can roll back Uncle Sam’s firewall rule changes via a factory reset or through the router’s web interface, though be aware that resets potentially leave devices open to hijacking again unless the default administrator password is changed.
“A factory reset that is not accompanied by a change to the default administrator password will return the router to its default administrator credentials, leaving it open to reinfection or similar compromises,” the U.S. Department of Justice warned.
This is the second time in the past few months that the FBI has claimed to have uncovered a botnet funded by an entire state. The first, announced in January, belonged to China’s Volt Typhoon, which misused hundreds of outdated Cisco and Netgear devices to infiltrate energy facilities, emergency networks, and other critical infrastructure in the United States.
However, as John Hultquist, chief analyst at Google Mandiant Intelligence, told The Register, it is likely that the Kremlin-backed team will “come back with a new scheme soon” because of the upcoming elections, which the Russians are keen to influence because of the war with Ukraine.
Fancy Bear is believed to be behind the interference with the US Democratic Party’s computers during the 2016 presidential race, and they have continued to try to disrupt the election since then.
It is believed that if Donald Trump wins the US presidential election, he will fully withdraw military and financial assistance to Ukraine and will not provide NATO assistance to European countries if Russia attacks the EU. In other words, Putin is betting that if Trump wins, he will “give” Ukraine and Europe as a whole to Russia.