{ "id": "8f0d14ce-b3f2-48d0-b170-7c498dccd3e0", "created_at": "2026-04-06T01:30:31.181162Z", "updated_at": "2026-04-10T13:13:01.080029Z", "deleted_at": null, "sha1_hash": "1fd765a4810d341c9d14c9a1c4dc142baa05ee29", "title": "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61448, "plain_text": "Justice Department Conducts Court-Authorized Disruption of\r\nBotnet Controlled by the Russian Federation’s Main Intelligence\r\nDirectorate of the General Staff (GRU)\r\nPublished: 2024-02-15 · Archived: 2026-04-06 01:07:46 UTC\r\nNote: Following the publication of this press release, the FBI and international partners issued a joint\r\nmultinational cybersecurity advisory\r\non Russian cyber actors' use of compromised routers to facilitate cyber operations.\r\nA January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office\r\n(SOHO) routers that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn\r\nStorm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes. These crimes included\r\nvast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the\r\nRussian government, such as U.S. and foreign governments and military, security, and corporate organizations. In\r\nrecent months, allegations of Unit 26165 activity of this type has been the subject of a private sector cybersecurity\r\nadvisory\r\nhttps://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian\r\nPage 1 of 4\n\nand a Ukrainian government warning\r\n.\r\nThis botnet was distinct from prior GRU and Russian Federal Security Service (FSB) malware networks disrupted\r\nby the Department in that the GRU did not create it from scratch. Instead, the GRU relied on the “Moobot”\r\nmalware, which is associated with a known criminal group. Non-GRU cybercriminals installed the Moobot\r\nmalware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU\r\nhackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet,\r\nturning it into a global cyber espionage platform.\r\nThe Department’s court-authorized operation leveraged the Moobot malware to copy and delete stolen and\r\nmalicious data and files from compromised routers. Additionally, in order to neutralize the GRU’s access to the\r\nrouters until victims can mitigate the compromise and reassert full control, the operation reversibly modified the\r\nrouters’ firewall rules to block remote management access to the devices, and during the course of the operation,\r\nhttps://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian\r\nPage 2 of 4\n\nenabled temporary collection of non-content routing information that would expose GRU attempts to thwart the\r\noperation.\r\n“The Justice Department is accelerating our efforts to disrupt the Russian government’s cyber campaigns against\r\nthe United States and our allies, including Ukraine,” said Attorney General Merrick B. Garland. “In this case,\r\nRussian intelligence services turned to criminal groups to help them target home and office routers, but the Justice\r\nDepartment disabled their scheme. We will continue to disrupt and dismantle the Russian government’s malicious\r\ncyber tools that endanger the security of the United States and our allies.”\r\n“For the second time in two months, we’ve disrupted state-sponsored hackers from launching cyber-attacks\r\nbehind the cover of compromised U.S. routers,” said Deputy Attorney General Lisa Monaco. “We will continue to\r\nleverage all of our legal authorities to prevent harm and protect the public — whether the hackers are from Russia,\r\nChina, or another global threat.” \r\n“Russia’s GRU continues to maliciously target the United States through their botnet campaigns,” said FBI\r\nDirector Christopher Wray. “The FBI utilized its technical capabilities to disrupt Russia’s access to hundreds of\r\nrouters belonging to individuals in addition to small and home offices. This type of criminal behavior is simply\r\nunacceptable, and the FBI, in coordination with our federal and international partners, will not allow for any of\r\nRussia’s services to negatively impact the American people and our allies.”  \r\n“In this unique, two-for-one operation, the National Security Division and its partners disrupted a botnet used by\r\nboth criminal and state-sponsored actors,” said Assistant Attorney General Matthew G. Olsen of the Justice\r\nDepartment’s National Security Division. “Notably, this represents the third time since Russia’s unjustified\r\ninvasion of Ukraine that the Department has stripped the Russian intelligence services of a key tool used to further\r\nthe Kremlin’s acts of aggression and other malicious activities. We will continue to use our legal authorities and\r\ncutting-edge techniques, and to draw on the strength of our partnerships, to protect the public and our allies from\r\nsuch threats.”\r\n“This is yet another case of Russian military intelligence weaponizing common devices and technologies for that\r\ngovernment’s malicious aims,” said U.S. Attorney Jacqueline C. Romero for the Eastern District of Pennsylvania.\r\n“As long as our nation-state adversaries continue to threaten U.S. national security in this way, we and our\r\npartners will use every tool available to disrupt their cyber thugs — whomever and wherever they are.”\r\n“Operation Dying Ember was an international effort led by FBI Boston to remediate over a thousand\r\ncompromised routers belonging to unsuspecting victims here in the United States, and around the world that were\r\ntargeted by malicious, nation state actors in Russia to facilitate their strategic intelligence collection,” said Special\r\nAgent in Charge Jodi Cohen of the FBI Boston Field Office. “The FBI’s strong partnerships with the private sector\r\nwere critical to identifying and addressing this threat which targeted our national security interests here and\r\nabroad. This operation should make it crystal clear to our adversaries that we will not allow anyone to exploit our\r\ntechnology and networks.”\r\nAs described in court documents, the government extensively tested the operation on the relevant Ubiquiti Edge\r\nOS routers. Other than stymieing the GRU’s ability to access to the routers, the operation did not impact the\r\nrouters’ normal functionality or collect legitimate user content information. Additionally, the court-authorized\r\nsteps to disconnect the routers from the Moobot network are temporary in nature; users can roll back the firewall\r\nhttps://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian\r\nPage 3 of 4\n\nrule changes by undertaking factory resets of their routers or by accessing their routers through their local network\r\n(e.g., via the routers’ web-based user interface). However, a factory reset that is not also accompanied by a change\r\nof the default administrator password will return the router to its default administrator credentials, leaving the\r\nrouter open to reinfection or similar compromises.\r\nThe FBI Philadelphia and Boston Field Offices and Cyber Division, U.S. Attorney’s Office for the Eastern District\r\nof Pennsylvania, and the National Security Division’s National Security Cyber Section led the disruption effort.\r\nThe Criminal Division’s Computer Crime and Intellectual Property Section and Office of International Affairs,\r\nShadowserver Foundation, Microsoft Threat Intelligence, and other partners provided valuable assistance.\r\nThe FBI is working with internet service providers to provide notice of the operation to owners and operators of\r\nSOHO routers covered by the court’s authorization. If you believe you have a compromised router, please visit the\r\nFBI’s Internet Crime Complaint Center.\r\nTo better protect themselves, the FBI advises all victims to conduct the following remediation steps:\r\n1. Perform a hardware factory reset to flush the file systems of malicious files;\r\n2. Upgrade to the latest firmware version;\r\n3. Change any default usernames and passwords; and\r\n4. Implement strategic firewall rules to prevent the unwanted exposure of remote management services.\r\nThe FBI strongly encourages router owners to avoid exposing their devices to the internet until they change the\r\ndefault passwords.\r\nSource: https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian\r\nhttps://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian" ], "report_names": [ "justice-department-conducts-court-authorized-disruption-botnet-controlled-russian" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439031, "ts_updated_at": 1775826781, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1fd765a4810d341c9d14c9a1c4dc142baa05ee29.pdf", "text": "https://archive.orkl.eu/1fd765a4810d341c9d14c9a1c4dc142baa05ee29.txt", "img": "https://archive.orkl.eu/1fd765a4810d341c9d14c9a1c4dc142baa05ee29.jpg" } }