Hundreds of routers used in homes and small offices were unknowingly used to spread malware via a Russian-made botnet. This week, the US Department of Justice announced that this botnet has now been shut down in an operation that took place in January 2024 but has now been revealed publicly.
In its press release, the Justice Department stated the botnet itself was created by a known cybercriminal group that infected routers that still used "publicly known default administrator passwords" with the Moobot malware. After that, the Russian GRU agency installed its own scripts by using the Moobot malware.
The press release described how the GRU used the botnet to committee various cybercrimes:
These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations.
However, after the botnet was discovered, the Justice Department turned around and used the Moobot malware to copy the stolen files, and then delete them from those routers. It also changed the firewalls of those routers to make sure they could block any attempts at remote entry.
The Justice Department will inform the owners of those routers about what happened to them and request that those devices get a full reset. They will also be asked to install the latest version of their router's firmware, and of course, they will highly recommend that the routers get new passwords.
This is actually the second time in 2024 that the Justice Department has disrupted a criminal botnet. In a statement, US Attorney General Merrick B. Garland said:
In this case, Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme. We will continue to disrupt and dismantle the Russian government’s malicious cyber tools that endanger the security of the United States and our allies.
There's no specific information on the information that was gathered by the botnet before it was closed down.
20 Comments - Add comment