Federal law enforcement kicked Russian state hackers off a botnet comprising at least hundreds of home office and small office routers that had been pulled together by a cybercriminal group and co-opted by the state-sponsored spies.
APT28, an high-profile advanced persistent threat group linked to Russia’s GRU military intelligence group, used the network of Ubiquiti Edge OS routers to hide its activities as it ran its operations, which included spearphishing and similar attacks against U.S. and foreign governments and military as well as security and corporate organizations in espionage campaigns aimed at harvesting credentials, according to an announcement Thursday by the U.S. Department of Justice.
Federal authorities were not only able to toss APT28 – also known as Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit – from the botnet, but also shut down access to the botnet by both the Russian gang and others that were using it.
“In this unique, two-for-one operation, the National Security Division and its partners disrupted a botnet used by both criminal and state-sponsored actors,” Assistant Attorney General Matthew Olsen of the DOJ’s National Security Division, said in a statement.
Unlike similar operations run by the GRU and Russia’s Federal Security Service (FSB), the Russian hackers didn’t create the botnet themselves. Instead, they leveraged the botnet by another known cybercriminal group that had installed the malware on the Ubiquiti routers that still were using publicly known default administrator passwords.
Using the Moobot malware, the GRU bad actors installed their own scripts and files, essentially repurposing the botnet and creating a global cyber-espionage platform. According to the redacted search warrant, APT28 likely found the already compromised Ubiquiti routers it could use by running public internet scans using the specific version number of the OpenSSH-based malware already implanted in them.
Once found, the Russian hackers used the Moobot malware to access those routers.
“The Ubiquiti routers have a robust operating system and are popular with users because they are user friendly but nevertheless offer greater capabilities than most consumer-level routers,” the search warrant reads. “Accordingly, these devices are attractive targets for malicious actors because they can repurpose these routers as capable platforms to conduct illegal activity.”
The GRU spies used the routers to run their spearphishing campaigns, at times sending specifically crafted emails to Microsoft Outlook users and used a previously unknown zero-day vulnerability to transmit victims’ login credentials back to the routers. The devices also were used to house a fake Yahoo landing page used in other campaigns and to store the credentials that were stolen in the scam.
The DOJ and FBI themselves used the Moobot malware to copy and delete stolen and malicious data and files from the infected routers and modified the routers’ firewall rules to block anyone from remotely managing the devices. The DOJ said they also enabled the temporary collection of non-content routing information to expose any attempts by APT28 to hobble the DOJ’s court-authorized initiative, dubbed “Operation Dying Ember” and including private-sector partners like Microsoft and the Shadowserver Foundation.
U.S. Attorney General Merrick Garland said in a statement that “Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme.”
The agencies said investigators “extensively tested” how the Ubiquiti Edge OS routers worked and they did on the routers did not impact the normal functionality of the devices or collect data about the users. That said, the steps taken to disconnect the routers from the Moobot network are temporary.
“Users can roll back the firewall rule changes by undertaking factory resets of their routers or by accessing their routers through their local network,” they wrote. “However, a factory reset that is not also accompanied by a change of the default administrator password will return the router to its default administrator credentials, leaving the router open to reinfection or similar compromises.”
Moobot, a variant of the notorious Mirai botnet malware, was detected in 2021 by researchers with Fortinet’s ForiGuard Labs group and has been actively used since. In September 2022, Palo Alto Networks’ Unit 42 group said it found attackers targeting vulnerabilities in D-Link devices, and FortiGuard analysts in March 2023 reported on attacks targeting vulnerabilities in Cacti and Realtek software and spreading the Moobot and ShellBot malware.
More recently, Unit 42 researchers late last year issued a warning about APT28 targeting a vulnerability in Outlook, while a cybersecurity agency within the Ukrainian government said the Russian hackers were running phishing attacks against Ukrainian military personnel.
The initiative against the GRU adversaries was the second such operation against nation-state hackers in recent weeks. Last month federal authorities shut down a botnet run by the Chinse state-sponsored threat group Volt Typhoon, which had infected Cisco and NetGear home and small office routers with the KV Botnet malware to create a botnet consisting of hundreds of compromised devices.
Like APT28, Volt Typhoon used the botnet to conceal its identity while it ran cyberespionage campaigns against the United States.
“For the second time in two months, we’ve disrupted state-sponsored hackers from launching cyber-attacks behind the cover of compromised U.S. routers,” Deputy Attorney General Lisa Monaco said.
The U.S. government under the Biden Administration has been vocal about the threat of state-sponsored attacks from the likes of Russia, China, Iran, and North Korea. Earlier this month, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and National Security Agency warned that Volt Typhoon has compromised multiple critical infrastructure organizations in such sectors as communications, energy, transportation, and water and wastewater systems in the United States and some of its territories, including Guam, essentially lying in wait until the right time to strike.
In some instances, the APT group had hidden in networks for as long as five years.
The private sector also is seeing such groups in action. In joint statement this week, Microsoft and OpenAI said they had disrupted the activities of five state-affiliated groups – including APT28 – that were trying to use OpenAI services in their operations for such tasks as querying open-source information, translating, finding coding errors, and running basic coding tasks.
OpenAI and Microsoft – which has a close relationship with OpenAI and has invested more than $10 billion in the company – identified and shut down the OpenAI accounts associated with the cybercriminals.
The other threat groups named by the vendors were Charcoal Typhoon and Salmon Typhoon, both of China, an Iran-affiliated gang called Crimson Sandstorm, and Emerald Sleet, from North Korea.
Recent Articles By Author