U.S. Government Disrupts Russian Cyber Espionage Network
The U.S. Department of Justice announced Thursday that it has successfully disrupted and partially dismantled a global cyber espionage network operated by the Russian military intelligence agency GRU.
According to the press release, the network consisted of hundreds of compromised small office and home office (SOHO) routers that were infected with malware known as "Moobot." This allowed the GRU to use the routers to conceal cyber intrusion and data theft campaigns targeting foreign governments, militaries, and corporations of intelligence value.
Recent GRU cyber campaigns neutralized in this latest operation had allegedly targeted the Ukrainian government and private sector organizations in the U.S. and allied countries. The botnet provided cover for a range of cyber crimes including spearphishing attempts to steal credentials and sensitive information.
Unique Botnet Architecture
In contrast to previous Russian cyber espionage infrastructure, this particular botnet was not built from the ground up by GRU developers. Instead, they relied on existing criminal malware, Moobot, that had already infected a large number of Ubiquiti routers still using default login credentials.
GRU hackers then modified the malware to install additional scripts and tools on the compromised devices. This transformed the routers into a covert global surveillance network completely under their control.
Details of the Disruption Operation
Utilizing the existing Moobot malware, the Department of Justice was granted court authorization to access infected routers and delete stolen data and files. They also modified firewall settings to cut off the GRU's remote access while allowing temporary routing data collection to monitor for attempts to regain control.
The operation was designed to be reversible and avoid collecting or impacting any legitimate user content on the devices. Owners can restore factory settings if desired, as long as router credentials are updated from default administrative passwords.
Comments from U.S. Officials
The press release included statements from Attorney General Merrick Garland, FBI Director Christopher Wray, Deputy Attorney General Lisa Monaco, and other officials. They emphasized that the operation was part of an accelerating effort to preempt Russian cyber campaigns targeting the U.S. and its allies.
Attorney General Garland said "The Justice Department is accelerating our efforts to disrupt the Russian government’s cyber campaigns against the United States and our allies, including Ukraine. In this case, Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme. We will continue to disrupt and dismantle the Russian government’s malicious cyber tools that endanger the security of the United States and our allies.”
Next Steps for Affected Users
The FBI is working with Internet Service Providers to notify owners of compromised routers. Anyone who believes their router may be infected should visit the FBI's Internet Crime Complaint Center website.
The FBI recommends owners of potentially affected routers take the following remediation steps:
- Perform a hardware factory reset to delete malicious files
- Upgrade firmware to the latest version
- Change any default admin usernames and passwords
- Carefully implement firewall rules to restrict remote access
This operation represents the latest in an ongoing campaign by the Justice Department and its partners to neutralize Russian cyber espionage infrastructure targeting the U.S. and its allies. Officials promise to continue leveraging all legal authorities and technical capabilities available to combat these threats to national security.