US Urges Organizations to Clean Up Routers Infected by Russia’s APT28 Hacker Group

The US government has recently taken action against a cyberespionage campaign conducted by the Russian APT28 group, also known as Fancy Bear or Sednit. Following the dismantling of a botnet comprised of Ubiquiti routers, which were infected with malware dubbed 'Moobot', authorities are now urging organizations and individuals to clean up their devices to support the disruption efforts.

The infected routers, primarily used in small office/home office (SOHO) settings, were compromised by cybercriminals who exploited default credentials and trojanized OpenSSH server processes associated with Moobot. APT28 then gained control over these routers, utilizing them for covert operations targeting various sectors across Europe, the Middle East, and the US, including aerospace, energy, government, manufacturing, and technology.

Once inside the routers, APT28 actors utilized various tactics, including collecting credentials, proxying network traffic, and deploying custom post-exploitation tools. They also exploited a zero-day vulnerability in Outlook to collect credentials from targeted accounts and deployed Python scripts for further credential harvesting.

Furthermore, APT28 leveraged the compromised routers for command-and-control purposes, using them as infrastructure for a Python backdoor called MasePie. The group employed sophisticated techniques such as establishing reverse proxy connections and uploading SSH RSA keys to establish reverse SSH tunnels.

To address the threat, the advisory recommends several mitigation measures, including factory resetting devices, updating firmware, changing default credentials, and implementing firewall rules. Organizations and consumers are encouraged to utilize provided indicators of compromise (IoCs) to detect signs of infection and take necessary actions to prevent similar compromises in the future.

Overall, the US government's call to action underscores the ongoing threat posed by APT28 and the importance of securing network infrastructure to safeguard against cyberespionage activities.