US disrupts botnet used by Russia-linked APT28 threat group

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (

The US government has disrupted a network of routers that were being used by the Russia-linked threat group APT28 to conceal malicious cyber activities. 

“These crimes included vast spear-phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as US and foreign governments and military, security, and corporate organisations,” said the US Department of Justice (DoJ) in a statement.

APT28, tracked by cybersecurity researchers under names like Fancy Bear and Sofacy, is believed to be connected to Russia’s military intelligence agency GRU. The group has been active since at least 2007 targeting government, military, and corporate entities worldwide through cyber espionage and hacking campaigns.

According to court documents, the hackers relied on a Mirai-based botnet called MooBot that compromised hundreds of Ubiquiti routers to create a proxy network masking the source of malicious traffic while allowing theft of credentials and data.

“Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers still using publicly known default passwords,” explained the DoJ. “GRU hackers then used the Moobot malware to install their own files and scripts, turning it into a global cyber espionage platform.”

The botnet enabled APT28 to disguise its location while carrying out spear-phishing campaigns, brute-force password attacks, and stealing router login credentials, said authorities.

As part of efforts to disrupt the botnet and prevent further crimes, undisclosed commands have been issued to remove the stolen data, block remote access points, and modify firewall rules. The precise number of infected US devices remains confidential, but the FBI noted detections across almost every state.

The operation, codenamed Dying Ember, comes just weeks after another US effort dismantled a Chinese state-sponsored hacking campaign leveraging routers to target critical infrastructure.

(Photo by Alessio Ferretti on Unsplash)

See also: IoT security remains a top concern for enterprises in 2024

Want to learn about the IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Cyber Security & Cloud Expo, AI & Big Data Expo, Edge Computing Expo, and Digital Transformation Week.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *