Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

FBI disrupts Russian botnet used by state military hackers

A malicious botnet used by Russian military hackers has been disrupted by the FBI, according to new reports.

user icon Daniel Croft
Fri, 16 Feb 2024
FBI disrupts Russian botnet used by state military hackers
expand image

The Moobot botnet, which is used by the Russian Main Intelligence Directorate for the General Staff (GRU), is built on a network of Ubiquiti Edge OS small office/home office (SOHO) routers.

“Non-GRU cyber criminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords,” wrote the US Justice Department in a media release.

GRU Military Unit 26165, also known as APT28, Fancy Bear, Forest Blizzard and others, then installed its “own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform”.

============
============

The Russian military threat group has been observed using the botnet to target US and allied targets in credential theft and spear phishing attacks.

“These crimes included vast spear phishing and similar credential-harvesting campaigns against targets of intelligence interest to the Russian government, such as US and foreign governments and military, security, and corporate organisations,” the US DOJ said.

Now, the government has disrupted the botnet’s operations as part of a court-authorised campaign called “Operation Dying Ember”.

“Operation Dying Ember was an international effort led by FBI Boston to remediate over a thousand compromised routers belonging to unsuspecting victims here in the United States and around the world that were targeted by malicious, nation-state actors in Russia to facilitate their strategic intelligence collection,” wrote Jodi Cohen, special agent in charge for the FBI Boston Field Office.

“The FBI’s strong partnerships with the private sector were critical to identifying and addressing this threat, which targeted our national security interests here and abroad.

“This operation should make it crystal clear to our adversaries that we will not allow anyone to exploit our technology and networks.”

This is the second time the botnet has been disrupted in a two-month period, according to Lisa Monaco, US Deputy Attorney-General.

The use of the botnet is a unique case, even for Russian state-sponsored or government-aligned hackers such as APT28, as it was used by both the military hackers and criminal organisations, making the disruption a “unique, two-for-one-operation”, according to Assistant Attorney-General Matthew G. Olsen of the Justice Department’s National Security Division.

Additionally, the botnet market Russia’s continually increased interest in leveraging the capabilities of threat actors, and making use of common technologies to achieve its goals, according to US Attorney Jacqueline C. Romero for the Eastern District of Pennsylvania.

“This is yet another case of Russian military intelligence weaponising common devices and technologies for that government’s malicious aims,” she said.

“As long as our nation-state adversaries continue to threaten US national security in this way, we and our partners will use every tool available to disrupt their cyber thugs – whomever and wherever they are.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.