US Disrupts Russian Military Intelligence Botnet

The U.S. federal government says it disrupted a criminal botnet that Russian military intelligence had converted into a platform for global cyberespionage.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Law enforcement obtained a warrant to modify hundreds of routers made by Ubiquity that had been infected with “Moobot” malware – one of many variations of the Mirai wormable botnet found in the wild after an anonymous coder leaked source code online in 2017.

The malware targets Linux-based IoT devices – in this case, routers made by New York manufacturer Ubiquiti. The Moscow actor known as APT28, Fancy Bear and Forest Blizzard used infected routers located in the United States as proxies for hacking operations, including credential harvesting, stealing single sign-on hashes from Windows operating systems and using hacked routers to host custom tools and spear-phishing landing pages – including one designed to look like a Yahoo logon website.

The threat operates out of Russian military’s Main Intelligence Directorate, otherwise known as the GRU. Ubiquiti did not immediately return a request for comment.

Ukrainian cyber defenders earlier this month warned that APT28 had initiated a phishing campaign against military personnel and units of the Ukrainian Defense Forces through emails that imitate intelligence about the Russian invasion. When victims open the page, the threat actors throw up a field for entering user credentials. Another bait email encourages victims to click on a “change password” button. Harvested credentials are transmitted to a compromised Ubiquiti router.

A federal court granted the FBI authorization to remotely shut down the botnet by disinfecting the routers of the Moobot malware, blocking a method of remote access and subsequently monitoring the routers for remote login attempts. The warrant also allows the FBI to copy data stolen by Moscow hackers that is stored in the routers, such as stolen user credentials and files. Device owners can reverse the FBI’s alteration of firewall rules to restore remote access if they wish.

“Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme,” said Attorney General Merrick Garland.

Thursday’s announcement of the disruption is the second time in two months that federal authorities said they had immobilized a state-sponsored botnet. Officials in January targeted a botnet operated by Chinese state actor Volt Typhoon. Botnet takedowns “aren’t a panacea, and this actor will be back with a new scheme soon,” warned John Hultquist, chief analyst at Mandiant, in an emailed statement. Botnet takedowns tend to be impermanent as threat actors recover and rebuild anew – although their subsequent operations often are diminished (see: More Signs of a Qakbot Resurgence).

Still, “as elections loom, it’s never been a better time to add friction to GRU operations,” Hultquist added. APT28 possibly affected the outcome of the U.S. 2016 election by breaking into the Democratic National Committee and leaking emails online.

Federal law enforcement said Moobot infects Ubiquiti routers by using default credentials on internet-exposed system administrator panels to implant an OpenSSH backdoor that’s numbered as a version that the legitimate OpenSSH hasn’t released. The FBI believes that APT28 came to use the Moobot network by scanning the internet for the false OpenSSH version number.