{ "id": "dfbee9d2-4773-4596-a6d7-fe3b669db1d6", "created_at": "2026-04-06T03:36:16.512464Z", "updated_at": "2026-04-10T03:37:49.949015Z", "deleted_at": null, "sha1_hash": "756bf57c431f9bc88779449f11646f84f4247984", "title": "Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41909, "plain_text": "Justice Department Announces Actions to Disrupt Advanced\r\nPersistent Threat 28 Botnet of Infected Routers and Network\r\nStorage Devices\r\nPublished: 2018-05-23 · Archived: 2026-04-06 02:11:44 UTC\r\nThe Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected\r\nhome and office (SOHO) routers and other networked devices under the control of a group of actors known as the\r\n“Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”).  The\r\ngroup, which has been operating since at least in or about 2007, targets government, military, security\r\norganizations, and other targets of perceived intelligence value.\r\nAssistant Attorney General for National Security John C. Demers, U.S. Attorney Scott W. Brady for the Western\r\nDistrict of Pennsylvania, Assistant Director Scott Smith for the FBI’s Cyber Division, FBI Special Agent in\r\nCharge Robert Johnson of the Pittsburgh Division and FBI Special Agent in Charge David J. LeValley of the\r\nAtlanta Division made the announcement.\r\n“The Department of Justice is committed to disrupting, not just watching, national security cyber threats using\r\nevery tool at our disposal, and today’s effort is another example of our commitment to do that,” said Assistant\r\nAttorney General Demers.  “This operation is the first step in the disruption of a botnet that provides the Sofacy\r\nactors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence\r\ngathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such\r\nactivities.”\r\n“The United States Attorney’s Office will continue to aggressively fight against threats to our national security by\r\ncriminals, no matter who they work for” said U.S. Attorney Brady.  “This court-ordered seizure will assist in the\r\nidentification of victim devices and disrupts the ability of these hackers to steal personal and other sensitive\r\ninformation and carry out disruptive cyber attacks.  We will be relentless in protecting the people of Western\r\nPennsylvania - from international corporations to local businesses to the elderly - from these threats.”\r\n“Today's announcement highlights the FBI's ability to take swift action in the fight against cybercrime and our\r\ncommitment to protecting the American people and their devices,” said Assistant Director Scott Smith. “By\r\nseizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in\r\nminimizing the impact of the malware attack. While this is an important first step, the FBI's work is not done. The\r\nFBI, along with our domestic and international partners, will continue our efforts to identify and expose those\r\nresponsible for this wave of malware.”\r\n“The FBI will not allow malicious cyber actors, regardless of whether they are state-sponsored, to operate freely,”\r\nsaid FBI Special Agent in Charge Bob Johnson. “These hackers are exploiting vulnerabilities and putting every\r\nAmerican’s privacy and network security at risk. Although there is still much to be learned about how this\r\nparticular threat initially compromises infected routers and other devices, we encourage citizens and businesses to\r\nkeep their network equipment updated and to change default passwords.”\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected\r\nPage 1 of 3\n\n“This action by the FBI, DOJ, and our partners should send a clear message to our adversaries that the U.S.\r\nGovernment will take action to mitigate the threats posed by them and to protect our citizens and our allies even\r\nwhen the possibility of arrest and prosecution may not be readily available,” said FBI Special Agent in Charge\r\nDavid J. LeValley. “As our adversaries’ technical capabilities evolve, the FBI and its partners will continue to rise\r\nto the challenge, placing themselves between the adversaries and their intended victims.”\r\nThe botnet, referred to by the FBI and cyber security researchers as “VPNFilter,” targets SOHO routers and\r\nnetwork-access storage (NAS) devices, which are hardware devices made up of several hard drives used to store\r\ndata in a single location that can be accessed by multiple users.  The VPNFilter botnet uses several stages of\r\nmalware. Although the second stage of malware, which has the malicious capabilities described above, can be\r\ncleared from a device by rebooting it, the first stage of malware persists through a reboot, making it difficult to\r\nprevent reinfection by the second stage.\r\nIn order to identify infected devices and facilitate their remediation, the U.S. Attorney’s Office for the Western\r\nDistrict of Pennsylvania applied for and obtained court orders, authorizing the FBI to seize a domain that is part of\r\nthe malware’s command-and-control infrastructure.  This will redirect attempts by stage one of the malware to\r\nreinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected\r\ndevices, pursuant to legal process. A non-profit partner organization, The Shadowserver Foundation, will\r\ndisseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign\r\nCERTs and internet service providers (ISPs).  \r\nOwners of SOHO and NAS devices that may be infected should reboot their devices as soon as possible, \r\ntemporarily eliminating the second stage malware and causing the first stage malware on their device to call out\r\nfor instructions.  Although devices will remain vulnerable to reinfection with the second stage malware while\r\nconnected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide\r\nin the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.\r\nThe FBI and the Department of Homeland Security have also jointly notified trusted ISPs.  The Department and\r\nthe FBI also encourage users and administrators to review the Cisco blog post on VPNFilter, available HERE\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected\r\nPage 2 of 3\n\n, for recommendations and to ensure that their devices are updated with the latest patches.\r\nThe efforts to disrupt the VPNFilter botnet were led by the FBI’s Pittsburgh and Atlanta Offices; FBI Cyber\r\nDivision;  Trial Attorney Matthew Chang of the National Security Division’s Counterintelligence and Export\r\nControl Section; and Assistant U.S. Attorneys Charles Eberle and Soo C. Song of the Western District\r\nPennsylvania.  Critical assistance was also provided by Richard Green of the Criminal Division’s Computer Crime\r\nand Intellectual Property Section and The Shadowserver Foundation.\r\nNote: The documents filed by the Government as well as the court orders entered in this case are available as\r\nattachments below.\r\nSource: https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected\r\nPage 3 of 3\n\n https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected \n, for recommendations and to ensure that their devices are updated with the latest patches. \nThe efforts to disrupt the VPNFilter botnet were led by the FBI’s Pittsburgh and Atlanta Offices; FBI Cyber\nDivision; Trial Attorney Matthew Chang of the National Security Division’s Counterintelligence and Export\nControl Section; and Assistant U.S. Attorneys Charles Eberle and Soo C. Song of the Western District\nPennsylvania. Critical assistance was also provided by Richard Green of the Criminal Division’s Computer Crime\nand Intellectual Property Section and The Shadowserver Foundation. \nNote: The documents filed by the Government as well as the court orders entered in this case are available as\nattachments below. \nSource: https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected \n Page 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected" ], "report_names": [ "justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446576, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/756bf57c431f9bc88779449f11646f84f4247984.pdf", "text": "https://archive.orkl.eu/756bf57c431f9bc88779449f11646f84f4247984.txt", "img": "https://archive.orkl.eu/756bf57c431f9bc88779449f11646f84f4247984.jpg" } }