DoJ boots Fancy Bear out of hundreds of routers

US law enforcement agents have revealed their success in shutting down a malicious botnet used by the notorious Fancy Bear hackers.

The U.S. Department of Justice (DoJ) said in a press release that its agents conducted a “court-authorized operation” that neutralized a network of “hundreds of small office/home office (SOHO) routers”.

As explained by the DoJ, most of the Ubiquiti Edge OS routers used in the botnet were previously infected by malware called Moobot, which a private hacking group developed. This group targeted routers with factory settings and otherwise easy-to-guess passwords to install the malware. Then, APT 28 swooped in and took over the malware, turning the infected devices into a “global cyber espionage platform.”

Using malware to destroy malware

For the uninitiated, Fancy Bear is also known as Sofancy and APT 28. It is a Russian state-sponsored threat actor under the direct command of the Russian Federation’s Main Intelligence Directorate of The General Staff (GRU).

The botnet was used, the DoJ further explained, for a wide variety of cyber-criminal activities, including campaigns against Ukraine, which is a part of Russia’s war effort against its southwestern neighbor. 

Given that the majority of the infected routers were located in the United States, it seemed as if the Americans were targeting the Ukrainian infrastructure with distributed denial of service attacks, phishing, and more.

To remove the botnet, the DoJ’s agents used the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.

“Additionally, to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation,” the DoJ further explained.

The action did not impact the routers’ functionality or collect legitimate user content information. Furthermore, users can roll back the firewall rule changes, and factory reset their devices, after which it would be wise to change the passwords to something more complicated to break.


Nord VPN
60% off Nord VPN
Coinbase - Getty Images - 1234552839
Coinbase – Crypto Currency – Sign up with this link and get $10 free?! Buy/sell/exchange crypto, and use their ATM card to access your cash easily!
Chase Sapphire Preferred - Travel Points
NordPass - Password Manager - CJ Banner
https://www.dpbolvw.net/click-100604079-15345170
Binance Cryptowallet - Buy/Sell
Binance Blockchain
Amazon - Daily Deals
Amazon’s Daily Deals!
Your favorite restaurants are delivered to your front door! Grubhub!
Game Fly
Game Fly Video Game Rentals!

Please enter CoinGecko Free Api Key to get this plugin works.