An anonymous reader shared a report. More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed operatives to integrate into botnets for criminal and espionage purposes, according to the Department of Justice. The FBI director said the malware, which served as a botnet for Russian hacker group Fancy Bear, was removed in January 2024 under a secret court order as part of Operation Dying Ember. Affected were routers running Ubiquiti's EdgeOS, but only routers that had not changed their default administrative passwords. Access to the routers allowed the hacker group to “conceal or carry out a variety of crimes,” including spear phishing and credential harvesting, in the U.S. and abroad, the Justice Department alleges. .
Unlike previous attacks by Fancy Bear (which the Department of Justice has ties to GRU military unit 26165, also known as APT 28, Sofacy Group, Sednit, etc.), the Ubiquiti intrusion relied on the known malware Moobot. Once infected, GRU personnel were infected by “non-GRU cybercriminals” who installed “customized scripts and files” that connected to the devices and reused them, according to the Justice Department. The Justice Department also used Moobot malware to copy and delete the botnet's files and data, and then modified the router's firewall rules to block remote administrative access, the Justice Department said. During the court-approved intrusion, the Justice Department “enabled the temporary collection of non-content routing information” that “revealed the GRU's efforts to thwart the operation.” This “did not affect the normal functioning of the router or collect any legitimate user content information,” the Justice Department claims. “For the second time in two months, we have stopped state-sponsored hackers from launching a cyber attack behind a compromised U.S. router,” Deputy Attorney General Lisa Monaco said in a press release.
