US disrupts Russian espionage botnet


The Department of Justice (DoJ) says it has taken down a global botnet controlled by Russia’s military intelligence agency, the GRU.

The botnet consisted of hundreds of small office and home routers run by the notorious GRU Military Unit 26165, which is also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit.

It was used to “conceal and otherwise enable a variety of crimes,” according to the DoJ. These included spearphishing and similar credential harvesting campaigns targeting the US and other governments, as well as military, security, and corporate organizations.

ADVERTISEMENT

The network was neutralized during a court-mandated operation in January as part of the accelerated efforts to disrupt the Russian government’s cyber campaigns against the US and its allies, including Ukraine, the authorities said.

Attorney General Merrick B. Garland said that Russian intelligence services worked with criminal groups to target home and office routers before DoJ “disabled their scheme” as efforts to “disrupt and dismantle” Russia’s malicious cyber tools continue.

The GRU relied on the Moobot malware associated with a known criminal group, according to the DoJ. It said cybercriminals installed the malware on Ubiquiti Edge OS routers still using publicly known default administrator passwords.

GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a “global cyber espionage platform.”

The FBI also helped to disrupt Russia’s access to hundreds of routers belonging to individuals, in addition to small office and home devices, according to FBI Director Christopher Wray.

“Russia’s GRU continues to maliciously target the United States through their botnet campaigns,” Wray said, adding that “this type of criminal behavior is simply unacceptable.”

Security experts welcomed the government's efforts to more proactively target threats to cybersecurity. “This takedown is a great step in that pursuit,” said Jordan LaRose of the security consulting firm NCC Group.

“However, as any experienced defender knows, this is only the tip of the iceberg of the extensive operations carried out by nation-state attackers. While this takedown may slow them down, it will certainly not put a stop to their overall strategy,” LaRose said.

ADVERTISEMENT

Last year, the DoJ created a new National Security Cyber Section, or NatSec Cyber, to better respond to highly technical cyber threats. It was tasked with scaling and speeding up disruption campaigns, as well as prosecuting state-sponsored and non-state cybercriminals, associated money launderers, and other cyber threats to national security.