Full Report
Feds once again fix up compromised retail routers under court order.
Analysis Summary
# Incident Report: Disruption of Russian-Controlled Botnet on Ubiquiti Routers
## Executive Summary
In January 2024, the U.S. Department of Justice (DOJ), under a secret court order ("Operation Dying Ember"), disrupted a botnet comprised of over 1,000 compromised Ubiquiti routers used by the Russian state-sponsored hacking group Fancy Bear (APT 28). The attackers utilized the existing Moobot malware to gain control, layering their own custom scripts for criminal and espionage activities, including spearphishing. The response involved the DOJ using the original malware to wipe the malicious components and secure the devices, preventing further compromise.
## Incident Details
- **Discovery Date:** Not explicitly stated (Response occurred January 2024, implying discovery prior or ongoing surveillance).
- **Incident Date:** Ongoing malicious activity prior to January 2024 disruption.
- **Affected Organization:** Over 1,000 individual homes and small businesses using Ubiquiti EdgeOS routers.
- **Sector:** Various (Consumer and Small Business Infrastructure).
- **Geography:** United States.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown prior to January 2024.
- **Vector:** Exploitation of default administrative passwords on Ubiquiti EdgeOS routers.
- **Details:** The routers were initially infected with the Moobot malware by "Non-GRU cybercriminals." Fancy Bear agents then installed bespoke scripts and files to co-opt these devices into their infrastructure.
### Lateral Movement
- **Details:** Lateral movement within the victim network was likely minimal as the focus was on compromising the router hardware itself to be used as a proxy or command-and-control (C2) node for external criminal activities (spearphishing, credential harvesting).
### Data Exfiltration/Impact
- **Details:** The compromised routers were used to "conceal and otherwise enable a variety of crimes," including spearphishing and credential harvesting domestically and internationally. The data impact is related to the activities carried out *through* the routers, not data stolen *from* the end-user devices directly, though credentials were stolen abroad.
### Detection & Response
- **How it was discovered:** The operation, codenamed "Operation Dying Ember," was conducted by the DOJ/FBI and required a court order, suggesting investigation and surveillance preceded the public action.
- **Response actions taken:** On an unspecified date in January 2024, the DOJ executed the court-authorized disruption. They used the Moobot malware itself to copy and delete the Fancy Bear botnet files and data from the routers. They also changed firewall rules to block further remote management access.
## Attack Methodology
- **Initial Access:** Exploitation of default administrative credentials on Ubiquiti routers, leading to infection by Moobot malware.
- **Persistence:** GRU agents installed custom scripts/files to maintain control of the infected devices within the botnet infrastructure.
- **Privilege Escalation:** Not explicitly detailed, but access was gained due to weak default configurations (default passwords).
- **Defense Evasion:** Using compromised customer routers provided cover for their malicious operations.
- **Credential Access:** The malware infrastructure was used for credential harvesting *from* external targets.
- **Discovery:** Not applicable to the router compromise phase itself.
- **Lateral Movement:** Used infected routers as C2 nodes/proxies; internal network lateral movement by Fancy Bear was not the primary focus described.
- **Collection:** Used for preparatory steps toward spearphishing and credential harvesting campaigns.
- **Exfiltration:** The infrastructure enabled exfiltration activities orchestrated by the threat actors.
- **Impact:** Enabling concealment of various cybercrimes (spearphishing, credential harvesting).
## Impact Assessment
- **Financial:** Not specified in terms of cost to victims, but significant government operational cost for the disruption.
- **Data Breach:** Credential harvesting and spearphishing targeting domestic and foreign entities utilizing the compromised routers as pivot points.
- **Operational:** Temporary disruption of the botnet infrastructure. Normal router functionality was briefly impacted during the clean-up but restored afterwards.
- **Reputational:** The incident highlights vulnerabilities in common network hardware, potentially impacting trust in those vendors until remediation occurs.
## Indicators of Compromise
*(Note: Indicators are severely limited due to the nature of the DOJ operation which focused on removal rather than public IOC sharing of the specific malware used for C2.)*
- **Network indicators (Defanged):** Obfuscated C2 communication paths originating from compromised Ubiquiti EdgeOS devices.
- **File indicators:** Moobot malware artifacts; GRU bespoke scripts and files.
- **Behavioral indicators:** Unusual remote management access activity on routers with default credentials; patterns indicative of spearphishing or credential harvesting activity originating from the device.
## Response Actions
- **Containment:** Court-authorized intrusion to seize control of the botnet infrastructure.
- **Eradication:** Using the Moobot malware to delete and copy the Russian-installed botnet files and custom scripts from the routers. Firewall rules were modified to block remote management access.
- **Recovery:** The DOJ planned to notify affected customers, urging them to perform a factory reset, install the latest firmware, and change default administrative passwords.
## Lessons Learned
- **Key takeaways:** State-sponsored actors (Fancy Bear/APT 28) leverage commodity malware (Moobot) initially deployed by less sophisticated actors to establish strategic infrastructure. Default administrative credentials remain a critical, exploitable blind spot in widespread enterprise/SOHO hardware.
- **What could have been done better:** Organizations must enforce strong credential practices immediately upon device configuration.
## Recommendations
- Immediately change all default administrative passwords on all network devices, especially routers and firewalls.
- Implement regular firmware updates for all network equipment (specifically Ubiquiti EdgeOS devices affected here).
- Enable and enforce strong firewall rules limiting remote management access to only trusted internal IP addresses or secured VPNs.
- Conduct routine audits of network devices for unauthorized services or unexpected persistent software.