Russian state-sponsored cyber actors [1] [3] [4] [5] [6] [7] [8], including APT28 [5] [6] [7] [9], have been exploiting compromised Ubiquiti EdgeRouters globally to harvest credentials [4], proxy network traffic [1] [4] [5] [6] [7], and host spear-phishing landing pages [1] [2] [4] [5] [6] [7].

Description

Russian state-sponsored cyber actors [1] [3] [4] [5] [6] [7] [8], including APT28 (also known as Fancy Bear, Forest Blizzard [2] [3] [4] [5] [6] [7] [9], or Strontium) [3], have been exploiting compromised Ubiquiti EdgeRouters globally to harvest credentials [4], proxy network traffic [1] [4] [5] [6] [7], and host spear-phishing landing pages [1] [2] [4] [5] [6] [7]. These actors [1] [4] [5] [6] [7] [8] [9], linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS) [2] [4], have targeted industries such as aerospace [4], defense [3] [4] [7], and technology in countries like the US [4], Ukraine [2] [3] [4] [8] [9], Jordan [2], Turkey [2], and Italy [2]. The vulnerabilities in EdgeRouters [4], such as default credentials and limited firewall protections [4], make them attractive targets for cyber actors [4]. Recent efforts by the FBI, NSA [1] [6], US Cyber Command [1] [6], and international partners have disrupted a GRU botnet involving these routers [3] [5] [6] [8], but owners of affected devices should take immediate action to prevent further compromises [5] [6] [8]. In February 2024 [9], US authorities neutralized the Moobot botnet [9], controlled by APT28 [9], which was used for spear-phishing and credential harvesting campaigns [9]. APT28 also deployed Python scripts on compromised routers to collect stolen credentials and exploit a privilege escalation vulnerability in Microsoft Outlook (CVE-2023-23397) [9]. In December 2023 [9], APT28 developed a Python backdoor called MASEPIE [9], using compromised EdgeRouters as command-and-control infrastructure [9]. Owners of these devices are urged to take remedial actions to prevent further compromises [3] [8]. The EdgeRouters have a user-friendly [8], Linux-based operating system that makes them popular for consumers and cyber criminals [8]. APT28 actors have unfettered access to the routers [8], allowing them to install tools and obfuscate their identity while conducting malicious campaigns [8]. Industries targeted include aerospace [3], defense [3] [4] [7], education [2] [3], energy and utilities [3], hospitality [3], manufacturing [3], oil and gas [2] [3], retail [3], technology [3] [4], and transportation [3], as well as government bodies and individuals in Ukraine [3]. Victims of these attacks have included academic and research institutions [7], embassies [7], defense contractors [7], and political parties [7]. Owners of compromised EdgeRouters are advised to perform a hardware factory reset for protection against attacks by the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS) [2]. If evidence of GTsSS activity is found on a router [2], individuals are encouraged to contact a local field office or the Internet Crime Complaint Center (IC3) [2]. The FBI [1] [3] [4] [6] [8], NSA [1] [6], and US Cyber Command have issued a warning and provided advice for router owners to protect their devices [1], as the attackers have unfettered access to compromised routers [1], allowing them to obfuscate their identity while conducting malicious campaigns [1] [3] [8].

Conclusion

Owners of compromised EdgeRouters should take immediate action to prevent further compromises and perform a hardware factory reset for protection. The actions of Russian state-sponsored cyber actors have significant impacts on industries and individuals, emphasizing the importance of cybersecurity measures. Future implications include the need for enhanced security protocols and vigilance to prevent similar attacks in the future.

References

[1] https://www.itpro.com/security/fbi-russian-hackers-are-using-these-routers-as-part-of-their-covert-cyber-attacks
[2] https://www.crn.com/news/cloud/2024/feds-russia-sponsored-attackers-exploit-ubiquiti-routers-microsoft-outlook
[3] https://arstechnica.com/security/2024/02/kremlin-backed-hackers-are-infecting-ubiquity-edgerouters-fbi-warns/
[4] https://www.infosecurity-magazine.com/news/fbi-alert-russian-threats-ubiquiti/
[5] https://www.verfassungsschutz.de/SharedDocs/kurzmeldungen/EN/2024/2024-02-28-joint-cyber-security-advisory.html
[6] https://www.aha.org/2024-02-27-russian-cyber-actors-use-compromise-d-routers-facilitate-cyber-operations
[7] https://sos-vo.org/news/russian-cyber-actors-use-compromised-routers-facilitate-cyber-operations
[8] https://abcnews.go.com/US/russian-hackers-compromised-internet-routers-cyber-operations-us/story?id=107616396
[9] https://securityaffairs.com/159691/breaking-news/russia-apt28-compromised-ubiquiti-edgerouters.html