©2021 Reporters Post24. All Rights Reserved.
The FBI says it disinfected over 1,000 routers that Russian government hackers were allegedly using to send out phishing emails and collect stolen logins.
The Justice Department blames the Russian hacking group “Fancy Bear” for exploiting the routers to infiltrate targets, such as US government agencies, and military and corporate groups.
“This is yet another case of Russian military intelligence weaponizing common devices and technologies for that government’s malicious aims,” says US Attorney Jacqueline Romero for the Eastern District of Pennsylvania.
The infected routers formed a botnet that could secretly receive orders and stage hacking schemes for Fancy Bear, which the US connects to Russia’s main intelligence agency, the GRU.
The affected routers ran Ubiquiti’s EdgeOS, and were used in home offices and small businesses. However, Fancy Bear didn’t infect the routers directly. Instead, federal officials say a cybercriminal group in Russia first installed the “Moobot” malware on the routers, which was still been configured with the default administrator password.
“GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the DOJ says.
To stop the botnet, the FBI secured a court order to essentially hack the botnet—a tactic the federal agency is increasingly using against state-sponsored cyberspying, including to stymie Chinese hackers.
In this case, the FBI was able to hijack the Moobot malware “to copy and delete stolen and malicious data and files from compromised routers.” In addition, the FBI was also able to reconfigure the routers’ firewall rules to thwart the Russian hackers from returning. “The operation did not impact the routers’ normal functionality or collect legitimate user content information,” the DOJ says.
To prevent the routers from being targeted again, the FBI plans on notifying affected customers. The agency is advising owners to perform a factory reset to flush the device of any malicious files and then to install the latest firmware version. Also critical is changing the default admin password and configuring the firewall settings to prevent exposure of the router’s remote management services.