DoJ Breaks Russian Military Botnet in Fancy Bear Takedown

The Department of Justice (DoJ) has disrupted a botnet used by Russian military intelligence for widespread cyber espionage.

The network was made up of hundreds of individual small office/home office (SOHO) routers that the Russian Military Unit 26165 (better known as Fancy Bear, APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, and Sednit) was able to use to launch cybercrimes, including spear-phishing, credential harvesting, and more, according to the DoJ.

And unlike other custom-code networks typically used by Russian state-affiliated threat actors, this one was built on existing malware, called Moobot, linked to other known cybercriminal actors, the Justice Department said in its statement

.

"Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords," the DoJ explained. "GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global espionage platform."

US law enforcement was able to use the Moobot malware to hack into compromised routers, copy and delete stolen data, remove malicious files, regain full device control, as well as block any remote access, according to the DoJ.

The US government said affected Ubiquiti US Edge OS routers were disconnected from the Moobot networks and that any changes made to devices are temporary. The DoJ urges users to complete a factory reset on affected routers and update the default administrator passwords.

Value in Slowing Down Espionage Efforts

Deputy Attorney General Lisa Monaco noted this is the second time in two months the DoJ has disrupted a state-sponsored botnet. Jeff Hultquist, chief analyst with Mandiant Intelligence-Google Cloud, said that while this operation alone is unlikely to have a significant impact on Russian cyber-espionage operations, there is value in slowing their efforts with these disruptions.

"These actions aren't a panacea and this actor will be back with a new scheme soon, but as elections loom, it's never been a better time to add friction to GRU operations," Hultquist explained in a statement. "The hack and leak operations they have carried out may be the most effective cyberattack on elections we've witnessed, and we have no reason to believe they won't replay this tactic again."