home Security Counter Terror Russian Worldwide Espionage Botnet Caught and Disrupted

Russian Worldwide Espionage Botnet Caught and Disrupted

Feb 19, 2024

This post is also available in: עברית (Hebrew)

The US Department of Justice claims to have taken down a global botnet controlled by GRU, Russia’s military intelligence agency. The botnet reportedly consisted of hundreds of small office and home routers and was run by the GRU Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit.

According to Cybernews, the botnet was also used to “conceal and otherwise enable a variety of crimes,” including various similar credential harvesting campaigns targeting governments, militaries, as well as security and corporate organizations.

Authorities report the network was neutralized during a court-mandated operation in the beginning of 2024, as part of an effort to disrupt the Russian government’s cyber campaigns against the US and its allies. According to Attorney General Merrick B. Garland, Russian intelligence services worked with criminal groups to target home and office routers before the DoJ “disabled their scheme” as efforts to “disrupt and dismantle” Russia’s malicious cyber tools continue.

The GRU relied on the Moobot malware associated with a known criminal group. The cybercriminals installed the malware on Ubiquiti Edge OS routers that were still using publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own scripts and files that repurposed the botnet, turning it into a “global cyber espionage platform.”

The FBI also aided in disrupting Russia’s access to hundreds of routers belonging to individuals, small offices, and home devices. FBI Director Christopher Wray said “Russia’s GRU continues to maliciously target the United States through their botnet campaigns… this type of criminal behavior is simply unacceptable.”

Many security experts express their approval of the government’s efforts to target threats to cybersecurity more proactively but claim that this is only the tip of the iceberg of the extensive operations carried out by nation-state attackers. While this recent operation may slow them down, it will certainly not put a stop to their overall strategy.