US crimefighters shut down botnet used by Russian Fancy Bear hackers

(Image credit: Shutterstock / BeeBright)

US law enforcement agents have revealed their success in shutting down a malicious botnet used by the notorious Fancy Bear hackers.

The U.S. Department of Justice (DoJ) said in a press release its agents conducted a “court-authorized operation” that has neutralized a network of “hundreds of small office/home office (SOHO) routers”.

As explained by the DoJ, most of the Ubiquiti Edge OS routers used in the botnet were previously infected by malware called Moobot, which was developed by a private hacking group. This group targeted routers with factory settings and otherwise easy-to-guess passwords to install the malware. Then, APT 28 swooped in and took over the malware, turning the infected devices into a “global cyber espionage platform.”

Using malware to destroy malware

For the uninitiated, Fancy Bear is also known as Sofancy, and APT 28, and is a Russian state-sponsored threat actor under the direct command of the Russian Federation’s Main Intelligence Directorate of The General Staff (GRU).

The botnet was used, the DoJ further explained, for a wide variety of cybercriminal activities, including campaigns against Ukraine, which are a part of Russia’s war effort against its south-western neighbor. 

Given that the majority of the infected routers were located in the United States, it seemed as if the Americans were targeting the Ukrainian infrastructure with distributed denial of service attacks, phishing, and more.

To take down the botnet, the DoJ’s agents used the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.

“Additionally, in order to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation,” the DoJ further explained.

The action did not impact the routers’ normal functionality, or collected legitimate user content information. Furthermore, users can roll back the firewall rule changes and factory-reset their devices, after which it would be wise to change the passwords to something harder to break.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.