FBI disrupts botnet controlled by Russian security services

FBI Director Chris Wray, shown here at a recent congressional hearing, announced the disruption of a GRU botnet at a security conference in Munich on Feb. 15, 2024.

FBI Director Chris Wray, shown here at a recent congressional hearing, announced the disruption of a GRU botnet at a security conference in Munich on Feb. 15, 2024. Kevin Dietsch/Getty Images

The news comes just weeks after the U.S. announced it went on the offensive against a China-linked botnet operation.

The FBI disrupted a botnet operation managed by Russia’s Main Intelligence Directorate, the latest in a slew of actions that national security authorities have carried out to dismantle and curtail nation-state hacking activities, the Justice Department announced Thursday.

The takedown, which received court authorization last month, neutralized hundreds of small office/home office routers that the GRU’s Military Unit 26165 used to conceal itself inside networks and carry out various cyberattacks against U.S. intelligence targets of interest to Moscow, which included spear phishing and credential stealing.

Botnets are groups of hijacked hardware or systems that are chained together across other compromised equipment, forming a clustered data transfer network that allows for hacking campaigns to flourish.

The Kremlin-backed military unit has been previously designated by security industry researchers as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear and Sednit, and has been the subject of recent warnings from the private sector and Ukrainian government, DOJ said.

“Russia’s GRU continues to maliciously target the United States through their botnet campaigns,” said FBI Director Christopher Wray in a statement. “This type of criminal behavior is simply unacceptable, and the FBI, in coordination with our federal and international partners, will not allow for any of Russia’s services to negatively impact the American people and our allies.” 

U.S. cyber operatives tricked criminal malware known as Moobot to copy over and delete transmitted data files from the exposed routers. It also was programmed to modify the routers’ firewall rules to prevent further intrusion attempts, giving victims the ability to reset the devices and change their default usernames and passwords.

GRU hackers have relied on Moobot to help enable its cyber operations, though the FBI said in this case that “non-GRU” cybercriminals had installed the malware on Ubiquiti Edge OS routers. “GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” DOJ said.

The operation, dubbed Dying Ember, was also announced by Wray at the Munich Security Conference in Germany.

The announcement comes as the U.S. intelligence community is urging Congress to reauthorize a soon-to-expire surveillance power that has come under scrutiny from civil liberties groups over how it risks warrantlessly sweeping Americans’ communications. The authority, enabled under Section 702 of the Foreign Intelligence Surveillance Act, has been deemed an essential tool by the FBI and others for its ability to help the IC detect and dismantle nation-state hacking operations.

The action is one of several the U.S. has taken as part of a broader offensive commitment the Biden administration has taken to go after hacking groups affiliated with U.S. adversaries. A court-authorized FBI operation that disrupted the China-linked Volt Typhoon hacking collective likely immobilized a support network that the group heavily relied on to carry out its activities, Nextgov/FCW previously reported.