Midjourney
In a joint advisory released by the FBI, the NSA, the U.S. Cyber Command, and international partners, Russian military hackers are using compromised Ubiquiti EdgeRouters to evade detection.
Military Unit 26165 cyberspies, a branch of Russia’s Main Intelligence Directorate of the General Staff ( GRU), are using these hacked and widely used routers to create extensive botnets that encrypt credentials, gather NTLMv2 digests, and proxy malicious traffic.
Throughout covert cyberattacks against militaries, governments, and other organizations all over the world, they are also used as custom tools and phishing landing pages.
The joint advisory warns that “wireless internet service providers ( WISPs ) are frequently shipped with default credentials and no firewall protections.”
Additionally, EdgeRouters do n’t update firmware unless they are configured to do so by the consumer.
The FBI earlier this month cracked open a botnet of Ubiquiti EdgeRouters that the Russian hacking group later repurposed to create a global reach cyber espionage tool. The botnet was infected by the Moobot malware by cybercriminals not connected to APT28.
The FBI discovered a number of APT28 tools and objects while looking into the hacked routers, including Python scripts for stealing webmail credentials, NTLMv2 digests, and custom routing rules that automatically redirect phishing traffic to a designated attack infrastructure.
APT28, a notorious Russian hacking organization, has been the target of numerous well-known cyberattacks since they first started operating.
Prior to the 2016 U.S. Presidential Election, they attacked the Democratic Congressional Campaign Committee (DCCC ) and the Democratic National Committee ( DNC). They also led attacks on the German Federal Parliament ( Deutscher Bundestag ).
APT28 members were accused in the United States of participating in the DNC and DCCC attacks two years later. APT28 members were also given sanctions by the Council of the European Union in October 2020 for their involvement in the hack of the German Federal Parliament.
How to “revive” hijacked UbiquitiEdgeRouters
The FBI and the partner organizations that created the advisory today advise the following steps to prevent APT28 from accessing compromised routers:
- To remove malicious files from file systems, perform a hardware factory reset.
- Upgrade to the most recent firmware version
- Change any existing usernames and passwords.
- Implement clever firewall policies on WAN-side interfaces to stop remote management services from getting exposed to them.
To stop further use of these methods and hold those responsible accountable, the FBI is looking into APT28 activity on hacked EdgeRouters.
Report any alleged criminal or suspicious activity to the FBI’s Internet Crime Complaint Center ( IC3 ) or your neighborhood FBI field office.
Six years ago, in April 2018, U.S. and U.K. authorities issued a joint alert warning that Russian-backed attackers were actively attempting to hack into and home routers and routers.
Russian hackers have historically targeted Internet routing equipment to be used in man-in-the-middle attacks to support espionage campaigns, maintain persistent access to victims ‘ networks, and lay the groundwork for other offensive operations, as the April 2018 advisory warned.