Feb. 15 (UPI) — The U.S. Justice Department said Thursday that it thwarted a Russia-backed hacking network that infiltrated hundreds of home and office Internet routers.
The Justice Department in a release said an affiliate of the Russian Federation’s Main Intelligence Directorate (GRU) used malware to create a network of hundreds of small routers for the purpose of harvesting information from U.S. and foreign entities.
The the hacking group, known as GRU Military Unit 26165, APT 28 or Fighting Ursa, used the “Moobot” malware previously associated with a criminal hacker group, the Justice Department said.
According to the Justice Department, non-GRU hackers had installed the Moobot malware onto Ubiquiti Edge OS routers, enabling APT 28 to repurpose the existing botnet into a global cyber espionage network.
“In this case, Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme,” said Attorney General Merrick Garland. “We will continue to disrupt and dismantle the Russian government’s malicious cyber tools that endanger the security of the United States and our allies.”
Through a court-authorized operation in January, the Justice Department leveraged the malware to copy and delete stolen and harmful data and files from the compromised routers.
The operation also reversibly modified the routers’ firewall rules to block remote management access to the devices. Other than preventing GRU from accessing the routers, the operation did not impact their normal functions or collect user information, the Justice Department said.
The Justice Department said users with compromised routers can roll back the firewall changes by performing a factory reset or by accessing the router through their local network. Users should change the default administrator password after a factory reset to prevent the router from being compromised in the future.
The recent APT 28 malware attack follows a National Cybersecurity Coordination Center advisory recently posted a warning that the group attempted to gain access to Ukraine’s military systems by stealing personnel’s credentials.
Ukrainian cybersecurity researchers said in December they found APT 28 utilized an exploit in Microsoft Outlook to target critical infrastructure organizations in NATO countries, such as energy, transportation, pipeline operations, military and economic entities.