US Dept of Justice used existing router malware to quietly purge a Russia-backed 'vast spearphishing

There aren't many stories in the world of technology that could easily make it as a plot for a tense spy-thriller movie, but this one sure has all the right hallmarks for one. Last month, the US Justice Department carried out an authorised operation in which it neutralised a botnet, comprising hundreds of routers in homes [[link]] and offices, that was used to carry out spearphishing and other credentials stealing. And it was achieved by using the very same malware as that by the botnet itself.

As reported by Ars Technica, the network was created by the officially titled GRU Military Unit 26165 (also known by the names Forest Blizzard, Fancy Bear, Sednit, and others), a state-sponsored hacking group that reported has direct ties to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU, for short).

But rather than using its own malware, or anything developed by the GRU, the group used a piece of malware called Moobot that's been used before to insecure routers. In this instance, it infected the operating system on certain Ubiquiti Edge routers that were still using the default, publicly-known admin passwords

Once up and running, the group could then use the network to scrape all kinds of information passing through the routers. While the number of infected routers was relatively small, around a thousand or so, it was more than enough to create an effective botnet that was invasive enough to warrant direct intervention by the FBI [[link]] and DoJ.

To counter it, the DoJ cleverly used the same malware [[link]] to hack back into the routers, copy and delete any stolen data, as well as remove the malicious scripts, and alter the routers’ firewalls to prevent any further remote management of them. To coin a simple phrase, it hacked the hack.

As one can't always rely on the authorities to prevent one's router from being used for criminal activities, there are simple steps that anyone running a small business or office from home can follow.

Start by resetting the router back to its factory default settings (which will clear anything stored on it), then update it to the latest firmware version, followed by changing all of the default usernames and passwords, and then finally use its firewall to block any remote management access.

It can be quite hard to tell if your router is infected with malware or not, but the above actions will certainly help to nip that in the bud. What are you waiting for?