US dismantles Russian GRU botnet used for global DNS hijacking

Introduction

In a significant counter-cyber operation, the U.S. Department of Justice (DOJ) announced in January 2024 that it had successfully disrupted a global botnet controlled by Russia's military intelligence. The operation, led by the FBI, targeted a network of thousands of compromised routers used by the notorious state-sponsored hacking group known as APT28 for a wide-ranging cyber espionage campaign. This action neutralized a key piece of infrastructure used to conduct DNS hijacking and steal sensitive credentials from governments, militaries, and other high-value targets worldwide.

Background: APT28 and the 'Moobot' Botnet

The adversary at the center of this campaign is APT28, a group with many aliases including Fancy Bear, Strontium, and Forest Blizzard. Cybersecurity agencies have confidently attributed this group to Unit 26165 of Russia’s General Staff Main Intelligence Directorate (GRU). APT28 is one of the world's most aggressive and well-resourced state-sponsored actors, with a history of disruptive and espionage-focused operations. Their past activities include the 2016 hack of the Democratic National Committee, attacks against the World Anti-Doping Agency, and persistent cyber operations against Ukraine (DOJ, 2024).

For this campaign, APT28 built a botnet the FBI has dubbed "Moobot." This network consisted of thousands of compromised Ubiquiti EdgeRouter devices located in small offices, home offices (SOHO), and small businesses across the globe. These edge devices are attractive targets for threat actors because they are ubiquitous, often lack dedicated security oversight, and frequently run on outdated firmware with default credentials. By compromising these routers, APT28 created a distributed, anonymized platform to launch further attacks, effectively turning unsuspecting device owners into unwilling accomplices in a state-sponsored espionage campaign (CISA, 2024).

Technical Teardown: How the DNS Hijacking Worked

APT28’s operation was technically straightforward but highly effective. The group gained initial access to the Ubiquiti EdgeRouters by exploiting known vulnerabilities and, in many cases, by simply using the factory-default administrator credentials that owners had failed to change. Once inside, they deployed custom malware to seize control of the device.

The primary function of the Moobot malware was to facilitate DNS hijacking. The attack followed a clear sequence:

1. Configuration Change: The malware altered the router's Domain Name System (DNS) settings, forcing all web traffic from devices connected to that router to first pass through GRU-controlled servers.
2. Redirection: When a user on the compromised network attempted to navigate to a legitimate website—particularly webmail portals or government domains—the malicious DNS server would not return the correct IP address. Instead, it provided the IP address of a phishing server controlled by APT28.
3. Credential Harvesting: The user's browser would then connect to a fake website designed to be a pixel-perfect clone of the legitimate one. Unaware of the deception, the user would enter their username and password, which were immediately captured and sent to the Russian hackers.

This method allowed APT28 to bypass many traditional security measures and steal credentials from highly sensitive targets. The botnet also served as a proxy network, routing APT28's malicious traffic through the compromised routers to obscure its origin and make attribution more difficult (DOJ, 2024).

The FBI’s disruption was equally technical and precise. Acting under a court warrant, agents did not seize the physical routers. Instead, they remotely accessed the compromised U.S.-based routers and issued commands that overwrote the malicious code, effectively severing the connection to APT28's command-and-control (C2) infrastructure. As Attorney General Merrick B. Garland stated, the Justice Department used "legal authorities to disrupt a long-running Russian cyber-espionage campaign." Crucially, this operation did not remove the underlying malware, leaving the final cleanup to the device owners.

Impact Assessment: A Tactical Victory

The primary targets of this espionage campaign were government, military, security, and critical infrastructure organizations in the United States and allied nations. For these entities, the theft of credentials poses a severe risk, potentially leading to deeper network intrusions, data exfiltration, and intelligence loss.

The secondary victims are the thousands of individuals and small businesses whose routers were hijacked. Their devices were used to facilitate a foreign intelligence operation, and until remediated, remain vulnerable. The FBI’s operation was a necessary intervention but highlights a persistent problem: the insecurity of consumer and SOHO-grade network hardware.

For the GRU, this disruption represents a significant tactical setback. The Moobot botnet was a valuable asset that took time and resources to build. Its neutralization forces APT28 to retool and find new infrastructure for its operations. However, as FBI Director Christopher Wray noted, while this was a "significant blow," APT28 remains a persistent threat. History shows that such groups are resilient and will adapt their methods in response to defensive actions.

How to Protect Yourself

While the FBI has disrupted this specific botnet, the underlying vulnerabilities in many routers remain. Owners of network devices, especially Ubiquiti EdgeRouters, must take immediate action to secure their hardware. General users can also take steps to mitigate the damage from similar attacks.

For Router Owners (Especially Ubiquiti EdgeRouter users):

• Factory Reset Your Device: This is the most critical step. A simple reboot is not enough. A factory reset will wipe the device's configuration and remove the persistent malware left by APT28.
• Update Firmware Immediately: Before reconnecting the router to the internet, ensure you have downloaded the latest firmware version from the official manufacturer's website. Install it immediately after the reset.
• Change Default Credentials: Create a strong, unique password for the administrator account. Never use the default username and password.
• Disable Remote Management: If you do not need to manage your router from outside your local network, disable WAN-side or remote management features.

General Cybersecurity Hygiene:

• Enable Multi-Factor Authentication (MFA): MFA is the single most effective defense against credential theft. Even if an attacker steals your password, they cannot access your account without the second factor. Enable it on all critical accounts, including email, banking, and social media.
• Be Wary of Phishing: Scrutinize login pages for any irregularities in the URL or design. Use a password manager, which will only auto-fill credentials on legitimate domains.
• Encrypt Your Connection: Using a trusted VPN service can provide an additional layer of security by encrypting the traffic between your device and the internet, protecting it from snooping on untrusted networks.

This operation by the DOJ and FBI serves as a powerful reminder that nation-state threats often leverage the weakest links in our collective digital infrastructure. Securing a home or small business router is no longer just about personal security—it's about contributing to national and international cybersecurity.