On Thursday, the U.S. government announced that it had disrupted a botnet that the Russia-linked APT28 actor had used to hide its malicious activities and included hundreds of small office and home office ( SOHO ) routers in the nation.
The U.S. Department of Justice ( DoJ) stated in a statement that” these crimes included extensive spear-phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U, S. and foreign governments, as well as military, security, and corporate organizations.”
Unit 26165 of Russia’s Main Directorate of the General Staff ( GRU) is thought to be connected to APT28, which is also known as BlueDelta, Fancy Bear, Fighting Ursa ( formerly Strontium ), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422. It has reportedly been operational since 2007, at the very least.
According to court documents, the attackers used MooBot, a Mirai-based botnet that has chosen Ubiquiti routers to co-opt them into an array of devices that can be altered to serve as proxies, relaying malicious traffic while hiding their real IP addresses, to carry out their cyber espionage campaigns.
According to the DoJ, the botnet gave threat actors access to NT LAN Manager (NTLM) v2 hashes and spear-phishing landing pages, as well as other custom tooling for brute-forcing passwords, robbing router users, and spreading the MooBot malware to other appliances.
The U.S. Federal Bureau of Investigation ( FBI ) claimed in a redacted affidavit that MooBot implants an SSH malware that allows persistent remote access to the device and exploits vulnerable and publicly accessible Ubiquiti routers by using default credentials.
The DoJ stated that non-GRU cybercriminals “installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords.” The botnet was transformed into a global cyber espionage platform by GRU hackers, who then used the Moobot malware to install their own custom scripts and files.
By running public internet searches with a particular OpenSSH version number as the search parameter and then using MooBot to access those compromised Ubiquiti routers, the APT28 actors are suspected of having discovered and illegally accessed those networks.
The hacking team has also used Outlook’s then-zero day ( CVE 2023- 23397 ) to siphon login credentials and transmit them to the routers through spear-phishing campaigns.
” APT28 actors created a fake Yahoo!” in another campaign that has been identified. According to the FBI, landing page will send credentials entered on the fake page to a compromised Ubiquiti router so that APT28 actors can pick them up whenever they want.
APT28 has been given a number of unspecified commands to copy the stolen data and malicious files before deleting them and to change firewall rules to prevent remote access to the routers as part of its efforts to disrupt the botnet in the U.S. and stop further crime.
Although the FBI noted that the exact number of compromised devices could change, it has been censored. It continued, “almost every state has detected infected Ubiquiti devices.”
The court-approved operation, known as Dying Ember, was carried out just a few weeks after the United States dismantled another state-sponsored hacking campaign from China that targeted critical infrastructure facilities using the KV-botnet code.
A global network that had been compromised by a sophisticated malware strain known as Snake and used by hackers connected to Russia’s Federal Security Service ( FSB), also referred to as Turla, was also shut down by the U.S. in May of last year.