In a recent revelation by the Justice Department, more than 1,000 Ubiquiti routers in homes and small businesses fell victim to a sophisticated malware attack orchestrated by Russian-backed agents. This malicious software, functioning as a botnet for the notorious Russian hacking group Fancy Bear, was eradicated in January 2024 under the covert “Operation Dying Ember,” as disclosed by the FBI’s director.
The malware infiltrated routers operating Ubiquiti’s EdgeOS, particularly those that retained their default administrative password, granting the hacking group unauthorized access to execute various nefarious activities. Subsequent investigations by the DOJ uncovered a range of criminal activities facilitated by this breach, including spearphishing and credential harvesting both in the US and overseas.
Unlike previous incursions by Fancy Bear linked to GRU Military Unit 26165, the Ubiquiti breach leveraged the Moobot malware. This enabled GRU agents to embed customized scripts and files into the infected devices, repurposing them to suit their clandestine agenda, as per the DOJ’s findings.
During the sanctioned intervention, the DOJ utilized the Moobot malware to eliminate botnet files and data, subsequently reconfiguring the routers’ firewall settings to obstruct remote management access. This tactical maneuver allowed for the temporary collection of non-content routing information, exposing GRU’s attempts to thwart the operation without compromising the routers’ normal functionality or gathering user content data.
Deputy Attorney General Lisa Monaco highlighted the significance of thwarting state-sponsored cyber-attacks concealed within compromised US routers, emphasizing the need for affected customers to conduct a factory reset, update firmware, and modify default administrative passwords.
Expanding on the Fancy Bear operation and broader international cyber threats, FBI Director Christopher A. Wray underscored Russia’s recent targeting of underwater cables and global industrial control systems. Following the Ukraine invasion, Russia intensified its focus on the US energy sector, as per Wray’s statements at the Munich Security Conference.
The past year witnessed a surge in attacks on routers and network infrastructure, with TP-Link and Cisco routers succumbing to malware intrusions attributed to Chinese-backed groups. The proactive intervention by the DOJ and FBI underscores the critical need for enhanced cybersecurity vigilance and prompt mitigation measures to safeguard against such insidious cyber threats.
As the digital landscape evolves, the interconnected nature of global networks underscores the imperative of robust cybersecurity practices and proactive measures to fortify critical infrastructure against malicious incursions orchestrated by state-sponsored threat actors.
(Source: Ars Technica)
