U.S. authorities disrupt Russian intelligence’s botnet

2024-02-16 10:54

In January 2024, an operation dismantled a network of hundreds of SOHO routers controlled by GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit.

The Department's court-authorized operation leveraged the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.

To neutralize the GRU's access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers' firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.

"The FBI utilized its technical capabilities to disrupt Russia's access to hundreds of routers belonging to individuals in addition to small and home offices. This type of criminal behavior is simply unacceptable, and the FBI, in coordination with our federal and international partners, will not allow for any of Russia's services to negatively impact the American people and our allies."

The court-authorized steps to disconnect the routers from the Moobot network are temporary; users can roll back the firewall rule changes by undertaking factory resets of their routers or by accessing their routers through their local network.

A factory reset not accompanied by a change of the default administrator password will return the router to its default administrator credentials, leaving the router open to reinfection or similar compromises.

News URL

https://www.helpnetsecurity.com/2024/02/16/us-authorities-disrupt-russian-intelligence-botnet/

#botnet #russian