US Justice Department Cracks Down on Russian Cyber Espionage Network Using Compromised Routers

In a significant operation in January 2024, US law enforcement neutralized a sophisticated network of compromised small office/home office (SOHO) routers utilized by GRU Military Unit 26165 for cyber espionage. This unit, also known by multiple aliases including Fancy Bear and Sednit, employed these routers in extensive spearphishing and credential harvesting campaigns targeting entities of intelligence interest, notably in the US, Ukraine, and various other nations. The operation revealed the GRU’s reliance on "Moobot" malware, initially deployed by non-state cybercriminals on vulnerable Ubiquiti Edge OS routers, which GRU operatives subsequently repurposed for their espionage activities.

The Justice Department’s strategy involved leveraging the same malware to isolate and eliminate the malicious data and scripts installed by the GRU, effectively cutting off their access to the compromised devices. Temporary changes were made to the routers’ firewall settings to prevent remote access, a measure designed to be reversible by the device owners to regain full control. High-ranking officials, including Attorney General Merrick B. Garland and FBI Director Christopher Wray, underscored the operation’s importance in countering Russian cyber operations against the US and its allies, marking it as a critical step in disrupting state-sponsored cyber threats.

The collaborative effort, dubbed "Operation Dying Ember," involved extensive international cooperation and technical expertise, highlighting the operation’s technical and operational sophistication in combating cyber espionage. The operation’s success underscores the US government’s commitment to using legal and technical means to protect national security and the integrity of its information networks. Owners of the affected routers are advised to reset their devices, update firmware, and change default passwords to safeguard against future compromises.