Feds dismantle Russian GRU botnet built on 1,000-plus home, small biz routers

Beijing, now Moscow.… Who else is hiding in broadband gateways?

The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets.

This latest court-authorized takedown happened in January, and involved neutralizing "well over a thousand" home and small business routers that had been infected with the Moobot malware, which is a Mirai variant, according to FBI Director Christopher Wray, speaking at the Munich Cyber Security Conference on Thursday. Moobot can be used to remote-control compromised devices and launch attacks against networks.

Non-GRU cybercriminals installed Moobot on Ubiquiti Edge OS routers using publicly known default administrator passwords, we're told. Then the GRU spying team (tracked as APT 28, Forest Blizzard, and Fancy Bear among other names) used Moobot to install their own bespoke scripts and files that repurposed the botnet, thus "turning it into a global cyber espionage platform," according to the Feds.

Russian intelligence services turned to criminal groups to help them target home and office routers

"Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme," opined Attorney General Merrick Garland. "We will continue to disrupt and dismantle the Russian government’s malicious cyber tools that endanger the security of the United States and our allies."

The botnet targeted organizations that are of interest to the Russian government, including US and foreign governments and military, security, and corporate organizations. In December Microsoft said the Fancy Bear crew had been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets such as government, defense, and aerospace agencies in the US and Europe, though didn't say if a botnet was used in the attacks.

And earlier this week it emerged Kremlin agents had been caught misusing OpenAI's models to generate phishing emails and malicious software scripts.


According to American prosecutors, the Feds were able to instruct the Moobot botnet to copy and delete malicious files – including the malware itself – and any stolen data on the compromised routers, likely similar to what the DOJ did with the recent Volt Typhoon KV botnet takedown.

The FBI said [PDF] the dismantling of the Moobot network also involved modifying the routers' firewall rules to block remote management access to the devices, preventing them from being further hijacked, and "enabled temporary collection of non-content routing information that would expose GRU attempts to thwart" the operation.

That is to say, Uncle Sam was able to prevent Russia's use of the botnet by firewalling off remote management access, scrubbed the malware from the routers, and also inspected the Kremlin's handiwork on the infect equipment. All this was carried out with the consent of the owners of infected equipment, we're told.

Plus, the Feds said, users can rollback Uncle Sam's firewall rule changes via factory resets, or the routers' web-based user interface, though bear in mind a reset potentially leaves devices open to hijacking again if one doesn't change the admin password from the default.

"A factory reset that is not also accompanied by a change of the default administrator password will return the router to its default administrator credentials, leaving the router open to reinfection or similar compromises," the Justice Department warned.

This is the second time in as many months that the Feds claim to have upended a state-sponsored botnet. The first, announced in January, belonged to China's Volt Typhoon, which had abused hundreds of outdated Cisco and Netgear boxes to break into energy facilities, emergency networks and other US critical infrastructure orgs.

However, as Google's Mandiant Intelligence chief analyst John Hultquist told The Register, it's likely the Kremlin-backed crew "will be back with a new scheme soon."

"As elections loom, it's never been a better time to add friction to GRU operations," he said.

Fancy Bear is believed to have been behind intrusions into the US Democratic Party's computers during the 2016 US presidential race, and they have continued to try to disrupt elections ever since.

"The hack and leak operations they have carried out may be the most effective cyberattack on elections we've witnessed, and we have no reason to believe they won't replay this tactic again," Hultquist said. ®

More about


Send us news

Other stories you might like