U.S. Government Disrupts Russian-Linked Botnet Engaged in Cyber Espionage

Siva Ramakrishnan
The U.S. government on Thursday said it disrupted a botnet comprising hundreds of small office and home office (SOHO) routers in the country that was put to use by the Russia-linked APT28 actor to conceal its malicious activities. “These crimes included vast spear-phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S.

The U.S. government on Thursday said it disrupted a botnet comprising hundreds of small office and home office (SOHO) routers in the country that was put to use by the Russia-linked APT28 actor to conceal its malicious activities.

“These crimes included vast spear-phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations,” the U.S. Department of Justice (DoJ) said in a statement.

APT28, also tracked under the monikers BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422, is assessed to be linked to Unit 26165 of Russia’s Main Directorate of the General Staff (GRU). It’s known to be active since at least 2007.

Court documents allege that the attackers pulled off their cyber espionage campaigns by relying on MooBot, a Mirai-based botnet that has singled out routers made by Ubiquiti to co-opt them into a mesh of devices that can be modified to act as a proxy, relaying malicious traffic while shielding their actual IP addresses.

The botnet, the DoJ said, allowed the threat actors to mask their true location and harvest credentials and NT LAN Manager (NTLM) v2 hashes via bespoke scripts, as well as hosting spear-phishing landing pages and other custom tooling for brute-forcing passwords, stealing router user passwords, and propagating the MooBot malware to other appliances.

In a redacted affidavit filed by the U.S. Federal Bureau of Investigation (FBI), the agency said MooBot exploits vulnerable and publicly accessible Ubiquiti routers by using default credentials and implants an SSH malware that permits persistent remote access to the device.

“Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords,” the DoJ explained. “GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.”

The APT28 actors are suspected to have found and illegally accessed compromised Ubiquiti routers by conducting public scans of the internet using a specific OpenSSH version number as a search parameter, and then using MooBot to access those routers.

Spear-phishing campaigns undertaken by the hacking group have also leveraged a then-zero-day in Outlook (CVE-2023-23397) to siphon login credentials and transmit them to the routers.

“In another identified campaign, APT28 actors designed a fake Yahoo! landing page to send credentials entered on the false page to a compromised Ubiquiti router to be collected by APT28 actors at their convenience,” the FBI said.

As part of its efforts to disrupt the botnet in the U.S. and prevent further crime, a series of unspecified commands have been issued to copy the stolen data and malicious files prior to deleting them and modify firewall rules to block APT28’s remote access to the routers.

The precise number of devices that were compromised in the U.S. has been censored, although the FBI noted that it could change. Infected Ubiquiti devices have been detected in “almost every state,” it added.

The court-authorized operation – referred to as Dying Ember – comes merely weeks after the U.S. dismantled another state-sponsored hacking campaign originating from China that leveraged another botnet codenamed KV-botnet to target critical infrastructure facilities.

Last May, the U.S. also announced the takedown of a global network compromised by an advanced malware strain dubbed Snake wielded by hackers associated with Russia’s Federal Security Service (FSB), otherwise known as Turla.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

U.S. State Government Network Breached via Former Employee’s Account

Next Post

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

Related Posts

Learn How to Build an Incident Response Playbook Against Scattered Spider in Real-Time

In the tumultuous landscape of cybersecurity, the year 2023 left an indelible mark with the brazen exploits of the Scattered Spider threat group. Their attacks targeted the nerve centers of major financial and insurance institutions, culminating in what stands as one of the most impactful ransomware assaults in recent memory.  When organizations have no response plan in place for such an
Avatar
Read More

Ex-Google Engineer Arrested for Stealing AI Technology Secrets for China

The U.S. Department of Justice (DoJ) announced the indictment of a 38-year-old Chinese national and a California resident of allegedly stealing proprietary information from Google while covertly working for two China-based tech companies. Linwei Ding (aka Leon Ding), a former Google engineer who was arrested on March 6, 2024, "transferred sensitive Google trade secrets and other confidential
Avatar
Read More