FBI Says It ‘Neutralized’ Russian Hack Of Hundreds Of SOHO Routers

The operation disrupted an attack campaign in January that had compromised small office/home office (SOHO) routers from Ubiquiti, the agency says.

The FBI said Thursday that it disrupted a widespread campaign by Russia-aligned hackers that had compromised “hundreds” of small office/home office (SOHO) routers.

The disclosure is the second time in recent weeks that the agency reported disrupting a nation-state attack that had exploited SOHO routers in the U.S., following the China-linked router hacking campaign disclosed Jan. 31.

[Related: US Agencies Warn About Network Devices 'Frequently Exploited' By China-Linked Hacking Group]

As in the previously revealed China-linked attacks, the newly disclosed attack — attributed to the Russian intelligence agency GRU — used the routers together to form an assembly of malware-infected devices, known as a botnet.

Small businesses “may not think they're a target” for nation-state attackers, said Michael Welch, a managing director at consultancy MorganFranklin Consulting, said in a previous interview.

But increasingly, they are, Welch said. “The bad actors don't really care. You're an IP address to them,” he said.

The FBI said that the attack campaign attributed to Russia’s GRU — which is also tracked under names including APT28 and Fancy Bear — was taken down in connection with court authorization in January.

The FBI operation “neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes,” the agency said in a news release.

“These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations,” the FBI said.

The GRU-attributed attacks included the installation of malware on Ubiquiti Edge OS routers, which was enabled by the use of “publicly known default administrator passwords,” the agency said.

CRN has reached out to Ubiquiti for comment.

“GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the FBI said.