What just happened? It must be frustrating for the FBI that consumers and small businesses are not securing their routers. As far as we know, twice this year, the agency has taken down botnets on unprotected routers controlled by foreign state governments. This latest incident involved Russia.
A court-authorized FBI operation has taken down a network of hundreds of Ubiquiti Edge OS routers worldwide infected by a known malware called Mooboot. The malware worked as a botnet and was controlled by state-backed agents with the help of a Russian hacking group known by various names, including Fancy Bear and APT 28. The targets were of intelligence interest to the Russian government and had been subject to spearphishing and similar credential-harvesting campaigns.
The malware only infected Ubiquiti Edge OS routers using publicly known default administrator passwords. Hackers then used the malware to install “bespoke scripts” and files that repurposed the botnet, turning it into a global cyber espionage platform.
The FBI used the hackers’ own malware against them to copy and delete stolen and malicious data and files from compromised routers. Then, it modified the routers’ firewall rules to block remote management access to the devices. It also enabled the temporary collection of non-content routing information as part of its evidence gathering.
The FBI says the operation did not impact the routers’ functionality, nor did it collect legitimate user content. Router owners can roll back the firewall rule changes by performing a factory reset or accessing the router through their local network. After resetting, the agency strongly urges users to change the default administrator password. Otherwise, the router will be left open to another attack.
“This is yet another case of Russian military intelligence weaponizing common devices and technologies for that government’s malicious aims,” said U.S. Attorney Jacqueline C. Romero for the Eastern District of Pennsylvania. “As long as our nation-state adversaries continue to threaten U.S. national security in this way, we and our partners will use every tool available to disrupt their cyber thugs – whomever and wherever they are.”
This takedown follows last month’s disruption by the FBI of hundreds of Cisco and NetGear routers left vulnerable because they had reached end-of-life status and were no longer receiving security updates. State-sponsored A Chinese hacker group called Volt Typhoon used KV Botnet malware in that attack. The bad actors used the privately owned routers to target critical infrastructure organizations in the US. The FBI strongly encouraged router owners to remove and replace any end-of-life routers on their network.