{ "id": "0c098b3e-de94-4997-89bf-238b2df5736a", "created_at": "2026-04-06T00:08:48.058684Z", "updated_at": "2026-04-10T03:37:50.052148Z", "deleted_at": null, "sha1_hash": "109fc2a50a1637c322593d64bba4a837d1a786de", "title": "Russian hackers hijack Ubiquiti routers to launch stealthy attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2526185, "plain_text": "Russian hackers hijack Ubiquiti routers to launch stealthy attacks\r\nBy Sergiu Gatlan\r\nPublished: 2024-02-27 · Archived: 2026-04-05 16:44:51 UTC\r\nImage: Midjourney\r\nRussian military hackers are using compromised Ubiquiti EdgeRouters to evade detection, the FBI says in a joint advisory\r\nissued with the NSA, the U.S. Cyber Command, and international partners.\r\nMilitary Unit 26165 cyberspies, part of Russia's Main Intelligence Directorate of the General Staff (GRU) and tracked as\r\nAPT28 and Fancy Bear, are using these hijacked and very popular routers to build extensive botnets that help them steal\r\ncredentials, collect NTLMv2 digests, and proxy malicious traffic.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-hijack-ubiquiti-routers-to-launch-stealthy-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-hijack-ubiquiti-routers-to-launch-stealthy-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThey're also used to host custom tools and phishing landing pages throughout covert cyber operations targeting militaries,\r\ngovernments, and other organizations worldwide.\r\n\"EdgeRouters are often shipped with default credentials and limited to no firewall protections to accommodate wireless\r\ninternet service providers (WISPs). Additionally, EdgeRouters do not automatically update firmware unless a consumer\r\nconfigures them to do so,\" the FBI warns.\r\n\"In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based\r\noperating systems to install tooling and to obfuscate their identity while conducting malicious campaigns.\"\r\nEarlier this month, the FBI disrupted a botnet of Ubiquiti EdgeRouters infected with the Moobot malware by cybercriminals\r\nnot linked with APT28 that the Russian hacking group later repurposed to build a cyber espionage tool with global reach.\r\nWhile investigating the hacked routers, the FBI discovered various APT28 tools and artifacts, including Python scripts for\r\nstealing webmail credentials, programs designed to harvest NTLMv2 digests, and custom routing rules that automatically\r\nredirected phishing traffic to dedicated attack infrastructure.\r\nAPT28 is a notorious Russian hacking group found to be responsible for several high-profile cyber attacks since they first\r\nbegan operating\r\nThey breached the German Federal Parliament (Deutscher Bundestag) and were behind attacks on the Democratic\r\nCongressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) ahead of the U.S.\r\nPresidential Election in 2016.\r\nTwo years later, APT28 members were charged in the U.S. for their involvement in the DNC and DCCC attacks. The\r\nCouncil of the European Union also sanctioned APT28 members in October 2020 for their involvement in the German\r\nFederal Parliament hack.\r\nHow to 'revive' hijacked Ubiquiti EdgeRouters\r\nThe FBI and partner agencies behind today's advisory recommend the following measures to get rid of the malware infection\r\nand block APT28's access to compromised routers:\r\n1. Perform a hardware factory reset to flush file systems of malicious files\r\n2. Upgrade to the latest firmware version\r\n3. Change any default usernames and passwords, and\r\n4. Implement strategic firewall rules on WAN-side interfaces to prevent unwanted exposure to remote management\r\nservices.\r\nThe FBI is seeking information on APT28 activity on hacked EdgeRouters to prevent further use of these techniques and\r\nhold those responsible accountable.\r\nYou should report any suspicious or criminal activities related to these attacks to your local FBI field office or the FBI's\r\nInternet Crime Complaint Center (IC3).\r\nA joint alert issued by U.S. and U.K. authorities also warned six years ago, in April 2018, that Russian state-backed attackers\r\nwere actively targeting and hacking home and enterprise routers.\r\nAs the April 2018 advisory cautioned, Russian hackers have historically targeted Internet routing equipment to use in man-in-the-middle attacks in support of espionage campaigns, maintain persistent access to victims' networks, and lay a\r\nfoundation for other offensive operations.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-hijack-ubiquiti-routers-to-launch-stealthy-attacks/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russian-hackers-hijack-ubiquiti-routers-to-launch-stealthy-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-hijack-ubiquiti-routers-to-launch-stealthy-attacks/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/russian-hackers-hijack-ubiquiti-routers-to-launch-stealthy-attacks/" ], "report_names": [ "russian-hackers-hijack-ubiquiti-routers-to-launch-stealthy-attacks" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434128, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/109fc2a50a1637c322593d64bba4a837d1a786de.pdf", "text": "https://archive.orkl.eu/109fc2a50a1637c322593d64bba4a837d1a786de.txt", "img": "https://archive.orkl.eu/109fc2a50a1637c322593d64bba4a837d1a786de.jpg" } }