The FBI successfully thwarted a botnet operation orchestrated by Russia’s GRU, targeting small office/home office (SOHO) routers in the United States and its allies. This network, infected with Moobot malware, was repurposed by GRU Military Unit 26165 to conduct cyber espionage activities, including spearphishing and credential theft attacks. Through Operation Dying Ember, FBI agents remotely accessed compromised routers to delete stolen data and block GRU’s remote access, effectively neutralizing the botnet’s capabilities without disrupting standard router functionality.
The botnet, controlled by GRU’s APT28, Fancy Bear, and Sednit, posed a significant threat to various entities, including U.S. and foreign governments, military organizations, and corporate entities. Leveraging Moobot malware, initially deployed by cybercriminals, GRU hackers infiltrated routers with default credentials, providing them with unauthorized access to conduct malicious activities globally. The FBI’s intervention aimed to mitigate the risk posed by the botnet, ensuring the protection of sensitive data and preventing further cyber attacks orchestrated by GRU.
In addition to deleting stolen and malicious data from compromised routers, the FBI’s operation involved modifying firewall rules to block remote management access, effectively severing GRU’s link to the botnet. While these actions were temporary, they provided crucial time for affected users to mitigate the compromise and regain full control over their routers. The FBI’s swift and coordinated response highlights the importance of proactive cybersecurity measures in combating state-sponsored cyber threats and safeguarding critical infrastructure from malicious actors.
This successful operation adds to the FBI’s ongoing efforts to disrupt state-sponsored cyber activities, following the takedown of the Chinese KV-botnet used by Volt Typhoon hackers earlier in the year. Through collaboration with government agencies and cybersecurity experts, such interventions aim to enhance the resilience of global networks and prevent unauthorized access to sensitive information.
