Russian GRU Hijacks Thousands of Home Routers for Global Espionage

Russia's military intelligence agency built a global espionage platform out of thousands of ordinary home and small-office routers, harvesting passwords, intercepting authentication tokens, and masking its operators' digital footprints behind hardware sitting in living rooms and back offices across three continents. The FBI dismantled the network in January 2024 through a court-authorized operation so unusual in its methods that it drew comparisons to a digital judo move: agents used the very malware the hackers had planted to delete their own files.

The compromised devices were Ubiquiti EdgeRouters, widely used SOHO networking hardware running EdgeOS. Cybercriminals unaffiliated with Russian intelligence had already infected large numbers of these routers with a malware strain called MooBot, exploiting a basic vulnerability: owners who had never changed the devices' factory-default administrator credentials, both set to "ubnt." GRU hackers from APT28, formally designated Military Unit 26165 of Russia's 85th Main Special Service Center, then seized control of that criminal botnet and repurposed it as a full-scale intelligence collection tool. The campaign dated back to at least 2022.

With root access to the Linux-based routers, APT28 operators harvested NTLMv2 password hashes, collected authentication tokens, proxied network traffic to conceal their true origin, and hosted spearphishing landing pages. Custom Python scripts were deployed against specifically targeted organizations. The group also exploited CVE-2023-23397, a critical Microsoft Outlook vulnerability, as part of related NTLM relay attacks.

FBI Director Christopher Wray announced the disruption at the Munich Security Conference, saying the U.S. "ran a court authorized technical operation that knocked the Russian GRU off well over 1,000 home and small business routers." The effort, dubbed Operation Dying Ember and led by the FBI Boston Field Office, involved remotely accessing compromised routers and turning MooBot against itself, copying and deleting stolen data and malicious files. Agents also modified the routers' firewall rules to block APT28's remote management access. Microsoft and the Shadowserver Foundation participated as private-sector partners.

"Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme," Attorney General Merrick Garland said. FBI Special Agent in Charge Jodi Cohen, who led the Boston operation, described it as "an international effort led by FBI Boston to remediate over a thousand compromised routers belonging to unsuspecting victims here in the United States, and around the world."

The espionage campaign targeted victims across at least 11 countries: Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates, and the United States, with Ukraine receiving particular focus. Targeted sectors spanned Aerospace and Defense, Education, Energy and Utilities, Governments, Hospitality, Manufacturing, Oil and Gas, Retail, Technology, and Transportation. A joint cybersecurity advisory issued February 27, 2024 and co-signed by the FBI, NSA, U.S. Cyber Command, and agencies from ten additional nations including France, Germany, the United Kingdom, Poland, and South Korea, detailed the full scope of the threat.

The takedown did not fully neutralize the infrastructure. Trend Micro researchers found in May 2024 that more than 350 datacenter VPS IP addresses remained compromised after the FBI's intervention, with at least two additional cybercriminal groups continuing to use the botnet for SSH brute-forcing, pharmaceutical spam, and NTLMv2 hash relay attacks. Compromised Raspberry Pi devices and other internet-facing hardware also appeared in the network alongside EdgeRouters.

APT28, active since at least 2007 and also tracked as Fancy Bear, Forest Blizzard, and Sofacy, carries a long record of high-profile intrusions. The group was behind the 2016 hacks of the Democratic National Committee and Democratic Congressional Campaign Committee, which led to five GRU Unit 26165 officers being indicted in the U.S. in 2018. An earlier 2015 attack on the German Federal Parliament resulted in EU sanctions against multiple APT28 members in October 2020.

The MooBot takedown was the second state-sponsored botnet the FBI disrupted in early 2024, following the January dismantling of the KV-botnet used by Chinese Volt Typhoon hackers, underscoring a pattern of nation-state actors weaponizing consumer-grade networking hardware for long-term espionage positioning.

Ubiquiti EdgeRouter owners who suspect compromise cannot rely on a simple reboot: MooBot survives reboots and requires a full hardware factory reset to remove. Authorities recommend upgrading to the latest firmware, replacing default credentials, and implementing firewall rules to block remote management service exposure from the open internet.