Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Feds dismantle Russian GRU botnet built on 1,000-plus home, small biz routers
The Register ^ | Thu 15 Feb 2024 | Jessica Lyons

Posted on 02/16/2024 3:42:02 PM PST by nickcarraway

Beijing, now Moscow.… Who else is hiding in broadband gateways?

The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets.

This latest court-authorized takedown happened in January, and involved neutralizing "well over a thousand" home and small business routers that had been infected with the Moobot malware, which is a Mirai variant, according to FBI Director Christopher Wray, speaking at the Munich Cyber Security Conference on Thursday. Moobot can be used to remote-control compromised devices and launch attacks against networks.

Non-GRU cybercriminals installed Moobot on Ubiquiti Edge OS routers using publicly known default administrator passwords, we're told. Then the GRU spying team (tracked as APT 28, Forest Blizzard, and Fancy Bear among other names) used Moobot to install their own bespoke scripts and files that repurposed the botnet, thus "turning it into a global cyber espionage platform," according to the Feds.

Russian intelligence services turned to criminal groups to help them target home and office routers "Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme," opined Attorney General Merrick Garland. "We will continue to disrupt and dismantle the Russian government’s malicious cyber tools that endanger the security of the United States and our allies."

The botnet targeted organizations that are of interest to the Russian government, including US and foreign governments and military, security, and corporate organizations. In December Microsoft said the Fancy Bear crew had been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets such as government, defense, and aerospace agencies in the US and Europe, though didn't say if a botnet was used in the attacks.

And earlier this week it emerged Kremlin agents had been caught misusing OpenAI's models to generate phishing emails and malicious software scripts.

Takedown

According to American prosecutors, the Feds were able to instruct the Moobot botnet to copy and delete malicious files – including the malware itself – and any stolen data on the compromised routers, likely similar to what the DOJ did with the recent Volt Typhoon KV botnet takedown.

The FBI said [PDF] the dismantling of the Moobot network also involved modifying the routers' firewall rules to block remote management access to the devices, preventing them from being further hijacked, and "enabled temporary collection of non-content routing information that would expose GRU attempts to thwart" the operation.

That is to say, Uncle Sam was able to prevent Russia's use of the botnet by firewalling off remote management access, scrubbed the malware from the routers, and also inspected the Kremlin's handiwork on the infect equipment. All this was carried out with the consent of the owners of infected equipment, we're told.

Plus, the Feds said, users can rollback Uncle Sam's firewall rule changes via factory resets, or the routers' web-based user interface, though bear in mind a reset potentially leaves devices open to hijacking again if one doesn't change the admin password from the default.

"A factory reset that is not also accompanied by a change of the default administrator password will return the router to its default administrator credentials, leaving the router open to reinfection or similar compromises," the Justice Department warned.

FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet Fancy Bear goes phishing in US, European high-value networks OpenAI shuts down China, Russia, Iran, N Korea accounts caught doing naughty things China's Volt Typhoon spies broke into emergency network of 'large' US city This is the second time in as many months that the Feds claim to have upended a state-sponsored botnet. The first, announced in January, belonged to China's Volt Typhoon, which had abused hundreds of outdated Cisco and Netgear boxes to break into energy facilities, emergency networks and other US critical infrastructure orgs.

However, as Google's Mandiant Intelligence chief analyst John Hultquist told The Register, it's likely the Kremlin-backed crew "will be back with a new scheme soon."

"As elections loom, it's never been a better time to add friction to GRU operations," he said.

Fancy Bear is believed to have been behind intrusions into the US Democratic Party's computers during the 2016 US presidential race, and they have continued to try to disrupt elections ever since.

"The hack and leak operations they have carried out may be the most effective cyberattack on elections we've witnessed, and we have no reason to believe they won't replay this tactic again," Hultquist said. ®


TOPICS: Business/Economy; Crime/Corruption; Front Page News; News/Current Events; Politics/Elections; Russia; Technical
KEYWORDS: apt28; botnet; china; cybersecurity; fancybear; forestblizzard; gru; hackers; hacking; iran; malware; northkorea; russia; spying; volttyphoon
Navigation: use the links below to view more comments.
first 1-2021-27 next last

1 posted on 02/16/2024 3:42:02 PM PST by nickcarraway
[ Post Reply | Private Reply | View Replies]

To: nickcarraway

routers - > "using publicly known
default administrator passwords"


2 posted on 02/16/2024 3:45:27 PM PST by linMcHlp
[ Post Reply | Private Reply | To 1 | View Replies]

To: nickcarraway

So how many sensitive data locations leave the default router password in place? What is it, admin admin?


3 posted on 02/16/2024 3:46:11 PM PST by monkeyshine (live and let live is dead)
[ Post Reply | Private Reply | To 1 | View Replies]

To: nickcarraway

Is our US hacker botnet still up and working?


4 posted on 02/16/2024 3:52:46 PM PST by x
[ Post Reply | Private Reply | To 1 | View Replies]

To: nickcarraway

SkyNet is here. And Arnold is still living. What else pray tell is in play ?


5 posted on 02/16/2024 3:56:39 PM PST by George from New England
[ Post Reply | Private Reply | To 1 | View Replies]

To: nickcarraway

“FBI confirms it issued remote kill command to blow out Volt Typhoon’s botnet “

So what are the technical details? Did the FBI remotely shut down the 1,000 routers without permission or a warrant to do so? Did the FBI do a remote and unauthorized reset of the routers? Did the FBI download a firmware update to the routers? Did they contact owner? Did they contact Ubiquiti?

There’s a lot untold here.


6 posted on 02/16/2024 3:57:33 PM PST by ProtectOurFreedom (“Occupy your mind with good thoughts or your enemy will fill them with bad ones.” ~ Thomas More)
[ Post Reply | Private Reply | To 1 | View Replies]

To: monkeyshine

No admin and password


7 posted on 02/16/2024 3:59:39 PM PST by cableguymn
[ Post Reply | Private Reply | To 3 | View Replies]

To: ProtectOurFreedom

exactly


8 posted on 02/16/2024 4:03:33 PM PST by Gene Eric (Don't be a statist! )
[ Post Reply | Private Reply | To 6 | View Replies]

To: cableguymn

You gave it away!! I’m vulnerable now that you’ve exposed me.


9 posted on 02/16/2024 4:08:40 PM PST by BipolarBob (One flew East and one flew West . . .)
[ Post Reply | Private Reply | To 7 | View Replies]

To: nickcarraway

My router is no longer working. Weird.


10 posted on 02/16/2024 4:20:14 PM PST by Jeff Chandler (THE ISSUE IS NEVER THE ISSUE. THE REVOLUTION IS THE ISSUE.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: nickcarraway
Fancy Bear is believed to have been behind intrusions into the US Democratic Party's computers during the 2016 US presidential race,

100% false...this is letter agency gaslighting.

11 posted on 02/16/2024 4:25:59 PM PST by mac_truck (aide toi et dieu t'aidera)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BipolarBob

Just switch um to password admin. You’ll be fine


12 posted on 02/16/2024 4:42:06 PM PST by cableguymn
[ Post Reply | Private Reply | To 9 | View Replies]

To: All

How many of these “Russia, Russia, Russia” claims are actually our own corrupt IC schemes, or Biden’s Chinese friends doing it.... Or just outright 0’Biden regime lies meant to push us closer into Armageddon?


13 posted on 02/16/2024 4:58:42 PM PST by LegendHasIt
[ Post Reply | Private Reply | To 1 | View Replies]

To: mac_truck

(Fancy Bear is believed to have been behind intrusions into the US Democratic Party’s computers during the 2016 US presidential race,)

Well of course.

The Russians cheated Hillary out of her win!

Launch the ICBMs now!!


14 posted on 02/16/2024 5:12:11 PM PST by SaveFerris (Luke 17:28 ... as it was in the Days of Lot; They did Eat, They Drank, They Bought, They Sold ......)
[ Post Reply | Private Reply | To 11 | View Replies]

To: nickcarraway

Why does this sound like a construct and why do I question the assertions of the government?

Hmmmmm....


15 posted on 02/16/2024 5:19:57 PM PST by logi_cal869 (-cynicus the "concern troll" a/o 10/03/2018 /!i!! &@$%&*(@ -)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Jeff Chandler

What’s really weird is my router IS working!


16 posted on 02/16/2024 5:33:32 PM PST by griswold3 (Truth, Beauty and Goodness. )
[ Post Reply | Private Reply | To 10 | View Replies]

To: nickcarraway

I’m spit balling here, but I don’t think they “shut down” whatever operation it was. I think they just commandeered it for its own use against Americans.


17 posted on 02/16/2024 5:36:09 PM PST by Gaffer
[ Post Reply | Private Reply | To 1 | View Replies]

To: nickcarraway

Are these the people who claim to have hijacked my webcam and recorded me doing unspeakable and sordid things to myself?


18 posted on 02/16/2024 5:36:45 PM PST by Trailerpark Badass (“There should be a whole lot more going on than throwing bleach,” said one woman)
[ Post Reply | Private Reply | To 1 | View Replies]

To: nickcarraway

Russia has its own brilliant engineers. It is China that has to steal everything.


19 posted on 02/16/2024 5:43:17 PM PST by Revel
[ Post Reply | Private Reply | To 1 | View Replies]

To: mac_truck
Fancy Bear is believed to have been behind intrusions into the US Democratic Party's computers during the 2016 US presidential race,

One blatant bald-faced lie like that throws a lot of shade on the credibility of the rest of the press release.

20 posted on 02/16/2024 5:54:59 PM PST by TigersEye (Our Republic is under seige by globalist Marxists. Hold fast!)
[ Post Reply | Private Reply | To 11 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-27 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson