Skip to main content
close search
site logo
Dive Brief

FBI-led operation disrupts botnet controlled by state-linked Forest Blizzard

Russia’s GRU-backed group exploited hundreds of vulnerable routers to conduct spear phishing and credential harvesting attacks against U.S. targets.

Published Feb. 16, 2024
David Jones's headshot
Reporter
Grunge flags illustration of three countries with conflict and political problems (cracked concrete background) | USA, China and Russia
Barks_japan via Getty Images

Dive Brief:

  • The Department of Justice disrupted a botnet controlled by the Russia state-linked threat group Forest Blizzard, also known as Fancy Bear, in a court-ordered operation to disable hundreds of small office/home office routers used for malicious cyber activity. 
  • The botnet used Moobot malware installed on hundreds of vulnerable Ubiquiti Edge OS routers to conduct spear phishing and credential harvesting attacks in the U.S. The threat group has previously targeted NATO government organizations, critical infrastructure providers and other organizations. The impacted routers were still using default passwords.
  • The action marks the second U.S. disruption of a botnet since January, following the disruption of the KV Botnet backed by Volt Typhoon, a threat group linked to the People’s Republic of China.

Dive Insight:

The FBI-led disruption comes amid an increase in malicious activity from rogue state-linked threat groups in recent months. 

Forest Blizzard has been actively exploiting a critical escalation of privilege vulnerability in Outlook, tracked as CVE-2023-23397, to gain unauthorized access to Microsoft Exchange servers

Microsoft worked with Polish Cyber Command to mitigate the threat in December, as the hackers employed multiple tactics, including password spraying. Ukraine cyber officials warned earlier this month that the hackers were stealing credentials of Ukrainian military personnel

Researchers at Palo Alto Networks’ Unit 42, which tracks the group as Fighting Ursa, said the exploitation activity against Microsoft Exchange servers included attacks on energy production, air transport and pipelines. 

Security researchers expect stepped up nation-state threat activity as the U.S. moves deeper into election season. 

“These actions aren’t a panacea and this actor will be back with a new scheme soon, but as elections loom, it’s never been a better time to add friction to GRU operations,” John Hultquist, chief analyst at Mandiant Intelligence, Google Cloud, said in a statement. 

Forest Blizzard was one of five state-linked actors OpenAI bounced from its platform this week. Multiple threat groups were using the company’s AI tools to conduct early stage research and conduct other activity.

The current campaign is unusual as GRU typically develops malware internally, but in this case relied on criminal malware that was already available, according to the DOJ. Moobot is a Mirai variant malware that was previously linked to threat activity using vulnerable D-Link routers in 2022.

The FBI operation, authorized in late January, copied and deleted stolen files and other data from the compromised routers. The operation also disabled remote access to the devices, which were used by individuals and small offices across the U.S. Users can regain normal access to the devices through factory resets. 

The FBI is working with local internet service providers to notify owners and operators of the routers.

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell