[German]International law enforcement agencies (FBI, BKA etc.) have broken up a suspected Russian espionage network that was infecting routers from the manufacturer Ubiquiti. The spy network has been shut down last week. However, users of Ubiquiti routers should now reset their devices, assign their own password and also update them to the latest firmware version.
Advertising
The news about the dismantling of a spy network was published last week on Thursday, February 15, 2024. In the article Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation's Main Intelligence Directorate of the General Staff (GRU), the US Department of Justice announces that a US court granted permission to dismantle the spy network in January 2024.
SOHO routers from Ubiquiti infected
The spy network consisted of hundreds of small office/home office (SOHO) routers, and was used by GRU military unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, to conceal and facilitate a variety of offenses.
These crimes included extensive spear phishing and similar credential collection campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations. Unit 26165's activities have resulted in a cybersecurity advisory to the private sector and a warning to the Ukrainian government in recent months.
Moobot malware network taken down
This botnet differs from previous GRU and Russian Federal Security Service (FSB) malware networks in that the GRU did not create it from scratch. Instead, the GRU relied on the "Moobot" malware, which is associated with a known criminal group. Cybercriminals not affiliated with the GRU installed the Moobot malware on Ubiquiti Edge OS routers that were still using publicly known default administrator passwords. The GRU hackers then used the Moobot malware to install their own customized scripts and files that repurposed the botnet and turned it into a global cyber espionage platform.'
Court authorized dismantling
The Ministry's court-authorized operation used the Moobot malware to copy and delete stolen and malicious data and files from the compromised routers. To neutralize the GRU's access to the routers until the victims could mitigate the compromise and regain full control, the routers' firewall rules were reversibly changed.
Advertising
This blocked remote management access to the devices. Furthermore, during the course of the operation, the temporary collection of routing information without content was activated in order to detect the GRU's attempts to thwart the operation. Prior to the operation, the takeover of the Ubiquiti Edge OS routers in question was extensively tested. Aside from blocking GRU's remote access to the routers, the operation had no impact on the normal functionality of the routers or the collection of legitimate user data.
Users need to take action
It is now up to users to respond to the removal of infected routers from the Moobot network. Users can reverse the firewall rule changes by resetting their routers to factory defaults or by accessing their routers via their local network (e.g. via the routers' web-based user interface).
However, resetting the router to factory settings without simultaneously changing the default administrator password will result in the router operating with the default administrator credentials again, making it vulnerable to re-infection or similar attacks. To protect themselves, the FBI advises all victims to perform the following remediation steps:
- Perform a hardware factory reset to clean the file system of malicious files;
- Update the devices to the latest firmware version;
- Change all default usernames and passwords
Furthermore, the FBI recommends that victims implement strategic firewall rules to prevent unwanted disclosure of remote management services. The last step, however, will only be possible for more experienced users. The FBI strongly advises router owners not to connect their devices to the Internet until the default passwords have been changed. Thanks to the blog reader who has send me the tip.
