The FBI and partners from 10 other countries are urging owners of Ubiquiti EdgeRouters to check their gear for signs they’ve been hacked and are being used to conceal ongoing malicious operations by Russian state hackers.
The Ubiquiti EdgeRouters make an ideal hideout for hackers. The inexpensive gear, used in homes and small offices, runs a version of Linux that can host malware that surreptitiously runs behind the scenes. The hackers then use the routers to conduct their malicious activities. Rather than using infrastructure and IP addresses that are known to be hostile, the connections come from benign-appearing devices hosted by addresses with trustworthy reputations, allowing them to receive a green light from security defenses.
Unfettered access
“In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns,” FBI officials wrote in an advisory Tuesday.
APT28—one of the names used to track a group backed by the Russian General Staff Main Intelligence Directorate known as GRU—has been doing that for at least the past four years, the FBI has alleged. Earlier this month, the FBI revealed that it had quietly removed Russian malware from routers in US homes and businesses. The operation, which received prior court authorization, went on to add firewall rules that would prevent APT28—also tracked under names including Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit—from being able to regain control of the devices.On Tuesday, FBI officials noted that the operation only removed the malware used by APT28 and temporarily blocked the group using its infrastructure from reinfecting them. The move did nothing to patch any vulnerabilities in the routers or to remove weak or default credentials hackers could exploit to use the devices once again to host their malware surreptitiously.
“The US Department of Justice, including the FBI, and international partners recently disrupted a GRU botnet consisting of such routers,” they warned. “However, owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises.”
Those actions include:
- Perform a hardware factory reset to remove all malicious files
- Upgrade to the latest firmware version
- Change any default usernames and passwords
- Implement firewall rules to restrict outside access to remote management services.
Tuesday’s advisory said that APT28 has been using the infected routers since at least 2022 to facilitate covert operations against governments, militaries, and organizations around the world, including in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates, and the US. Besides government bodies, industries targeted include aerospace and defense, education, energy and utilities, hospitality, manufacturing, oil and gas, retail, technology, and transportation. APT28 has also targeted individuals in Ukraine.
The Russian hackers gained control of devices after they were already infected with Moobot, which is botnet malware used by financially motivated threat actors not affiliated with the GRU. These threat actors installed Moobot after first exploiting publicly known default administrator credentials that hadn’t been removed from the devices by the people who owned them. APT28 then used the Moobot malware to install custom scripts and malware that turned the botnet into a global cyber espionage platform.
