Malware, Critical Infrastructure Security

U.S. Wages Cyber War on Russian Military Botnet

Credit: Adobe Stock Images

The United States and its allies have struck a significant blow to a Russian military botnet network whose targets included numerous government and military entities and corporations.

A January 2024 court-authorized operation effectively neutralized a network of hundreds of small office/home office (SOHO) routers that the Armed Forces of the Russian Federation (GRU) Military Unit 26165 used to conceal and enable a variety of cybercrimes, according to a U.S. Department of Justice Office of Public Affairs news release. The GRU unit is also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit.

The GRU’s cybercrimes included vast spearphishing and similar credential harvesting campaigns against targets of interest to the Russian government, the Justice Department said.

Federal Bureau of Investigation (FBI) Director Christopher Wray spoke at the Munich Security Conference this week where he announced the impact of Operation Dying Ember on the Russian cyber operation.

“Operation Dying Ember, where working with our U.S. — and, again, worldwide law enforcement partners — we ran a court-authorized technical operation to kick the Russian GRU off well over a thousand home and small business routers and lock the door behind them, killing the GRU’s access to a botnet it was piggybacking to run cyber operations against countries around the world, including America and its allies in Europe,” Wray said.

He continued, “With these operations, and many more like them, we’ve set our sights on all the elements that we know from experience make criminal organizations tick: their people — a term we define broadly to include not just ransomware administrators and affiliates, but their facilitators, like bulletproof hosters and money launderers; their infrastructure; their servers, botnets, etc.; and their money, the cryptocurrency wallets they use to stash their ill-gotten gains, hire associates and lease infrastructure.

“Because we don’t just want to hit them — we want to hit them everywhere it hurts, and put them down, hard.”

Cyber Experts Weigh In

Tom Kellermann, senior vice president of Cyber Strategy at Contrast Security, who partners with MSSPs, applauded the FBI’s response, emphasizing that the counterinsurgency against the GRU in American cyberspace is escalating.

“This is but one battle in a larger cyberwar which is heating up with more sophisticated AI generated cyberattacks targeting critical infrastructures,” Kellerman said. “I am very concerned that we will experience destructive cyberattacks after we fund Ukraine’s military. Hybrid warfare is here to stay.”

And speaking of botnet exploits on routers, Marcelo Ruano, threat intelligence expert at Outpost24, warned that insufficiently protected SOHO routers are a valuable target for malicious cyber operations. 

"When routers become part of a botnet, this allows the controller to perform many malicious activities such as masquerade the traffic of their malicious activity as legit, host phishing landing pages, crypto mining, brute force attacks or propagate the botnet malware to other devices," Ruano said. "The recent detection and disruption of the KV-Botnet and Moobot botnets operated by state-sponsored threat actors targeting SOHO routers in the United States is evidence of the high interest of nation state sophisticated threat actors in infiltrating into the U.S. networks."

Cyber War Tactics Detailed

The botnet was distinct from prior GRU and Russian Federal Security Service (FSB) malware networks in that the GRU did not create it from scratch, the Justice Department said. Instead, the GRU relied on the “Moobot” malware, which is associated with a known criminal group.

Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used Moobot to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform, the Justice Department explained.

“The Department’s court-authorized operation leveraged the Moobot malware to copy and delete stolen and malicious data and files from compromised routers,” the Justice Department stated. “Additionally, in order to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.”

AG Garland Puts Russia On Notice

Commenting on the Operation Dying Ember, Attorney General Merrick B. Garland, said, “The Justice Department is accelerating our efforts to disrupt the Russian government’s cyber campaigns against the United States and our allies, including Ukraine. In this case, Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme.”

Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division, added, “Notably, this represents the third time since Russia’s unjustified invasion of Ukraine that the Department has stripped the Russian intelligence services of a key tool used to further the Kremlin’s acts of aggression and other malicious activities.”

If you believe you have a compromised router, visit the FBI’s Internet Crime Complaint Center.

U.S. Conducts Cyberattack on Iranian War Ship

The U.S. recently launched a cyberattack against an Iranian military ship, NBC News reported on February 15. The ship that had been collecting intelligence on cargo vessels in the Red Sea and the Gulf of Aden, according to U.S. officials.

The cyberattack was part of the Biden administration’s response to the drone attack by Iranian-backed militias in Iraq that killed three U.S. service members in Jordan and wounded dozens of others late last month, NBC News said. The operation was intended to obstruct the Iranian ship from sharing intelligence with Houthi rebels in Yemen who have been firing missiles and drones at cargo ships in the Red Sea.

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.