A US court-authorised operation has neutralised a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of attacks.

These included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as US and foreign governments and military, security, and corporate organisations, according to a statement from the US Department of Justice.

In recent months, allegations of Unit 26165 activity of this type has been the subject of a private sector cybersecurity advisory and a Ukrainian government warning.

This botnet was distinct from prior GRU and Russian Federal Security Service (FSB) malware networks disrupted by the Department in that the GRU did not create it from scratch, the agency states. Instead, the GRU relied on the “Moobot” malware, which is associated with a known criminal group.

Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly-known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.

The Department’s court-authorised operation leveraged the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.

Additionally, in order to neutralise the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.