DoJ boots Fancy Bear out of hundreds of routers
US law enforcement agents have revealed their success in shutting down a malicious botnet used by the notorious Fancy Bear hackers.
The U.S. Department of Justice (DoJ) said in a press release that its agents conducted a “court-authorized operation” that neutralized a network of “hundreds of small office/home office (SOHO) routers”.
As explained by the DoJ, most of the Ubiquiti Edge OS routers used in the botnet were previously infected by malware called Moobot, which a private hacking group developed. This group targeted routers with factory settings and otherwise easy-to-guess passwords to install the malware. Then, APT 28 swooped in and took over the malware, turning the infected devices into a “global cyber espionage platform.”
Using malware to destroy malware
For the uninitiated, Fancy Bear is also known as Sofancy and APT 28. It is a Russian state-sponsored threat actor under the direct command of the Russian Federation’s Main Intelligence Directorate of The General Staff (GRU).
The botnet was used, the DoJ further explained, for a wide variety of cyber-criminal activities, including campaigns against Ukraine, which is a part of Russia’s war effort against its southwestern neighbor.
Given that the majority of the infected routers were located in the United States, it seemed as if the Americans were targeting the Ukrainian infrastructure with distributed denial of service attacks, phishing, and more.
To remove the botnet, the DoJ’s agents used the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.
“Additionally, to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation,” the DoJ further explained.
The action did not impact the routers’ functionality or collect legitimate user content information. Furthermore, users can roll back the firewall rule changes, and factory reset their devices, after which it would be wise to change the passwords to something more complicated to break.
