"FBI Dismantles Ubiquiti Router Botnet Controlled by Russian Cyberspies"

The US government recently neutralized another small office/home office (SOHO) router botnet used by Russian cyberspies in malware campaigns.  According to a notice from the Department of Justice (DoJ), a court-authorized operation disrupted a network of hundreds of Ubiquiti Edge OS routers under the control of the notorious APT28 group.  The group, also known as Forest Blizzard/Sofacy/Fancy Bear, is connected to the Russian Federation's Main Intelligence Directorate of the General Staff (GRU) and was caught using the hijacked routers as a "global espionage platform." The DoJ said this botnet was built by cyber criminals using the known "Moobot" malware and later commandeered by the Russian APT group.  The DoJ noted that non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords.  GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.  In order to neutralize the GRU's access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers' firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.  

SecurityWeek reports: "FBI Dismantles Ubiquiti Router Botnet Controlled by Russian Cyberspies"