3 min

The FBI worked with several partners to disrupt a malicious botnet. The Center for Cybersecurity Belgium (CCB) supported the action in part. They shared some more information about defusing MooBot, which was linked to Russian intelligence.

In January of this year, the U.S. Department of Justice was taking measurements against a botnet. The MooBot in question consisted of more than a thousand SOHO routers suitable for SMB and home use.

The FBI coordinated an action to neutralize the botnet and received the help of authorities from several countries. For example, the Center for Cybersecurity Belgium (CCB) came to the rescue to detect and dismantle infected routers in Belgium. Other European authorities participating in the action came from France, Germany, Latvia, Lithuania, Norway, Poland and the United Kingdom.

‘User-friendly for cybercriminals’

The defused botnet consisted of hacked Ubiquiti EdgeRouters. These routers were owned by the following Russian state-sponsored hacker groups: APT28, Fancy Bear and Forest Blizzard. These hacker groups deployed the botnet for the Russian intelligence service (GRU).

The CCB reports that these Ubiquiti EdgeRouters were massively used worldwide. They also know that this is due to the easy usability. But this easy usability has a downside, the center reports to our editors, “This popular Linux-based product is very user-friendly, both for users and, unfortunately, for cybercriminals.” To get into the routers, the cybercriminals needed no more than the password the devices use for first use.

Moreover, the users of the affected routers would not receive any signal of the botnet’s presence. The detection of an infection by cybercriminals proves to be more often difficult in the case of a botnet. In the case of the Qakbot, for example, the only noticeable impact to the end user was a slower system and increased network traffic. The Qakbot was the largest global botnet, with at least 700,000 computers connected to it.

Spy platform

So, the size of the MooBot was many times smaller. Still, the cybercriminals who controlled the botnet were able to use it to commit many criminal acts. “Among these crimes were large-scale spearphishing and similar campaigns to collect login data against targets of interest to the Russian government,” the U.S. service states. In a joint statement on the action, details state that APT28 criminals have been using the infected routers since at least 2022.

APT28 conducted criminal operations that were actually imposed by the GRU, but by engaging the hacker collective the operations cannot be linked directly to the intelligence agency. Industries affected include aerospace, defence, education, energy and utilities, government, technology and manufacturing. “Target countries include the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates and the US.”

Hackers from the GRU did get involved in the action after the break-in on the systems. “GRU hackers then used the Moobot malware to install their customized scripts and files that re-purposed the botnet, turning it into a global cyber-espionage platform,” the U.S. intelligence agency said.

Prevention measures

To keep the botnet inactive, the FBI issued an advisory aimed at owners of Ubiquiti EdgeRouters. The parties are asked to reset the hardware to factory settings, upgrade to the latest firmware version, change the default password and set firewall rules. Those measures remove the malicious files and prevent the cybercriminals from still accessing the devices through remote management services.

It remains uncertain whether the international action completely disabled the MooBot. For the Qakbot, for example, security researchers found evidence several months after its destruction that the botnet had recovered.