Hey everyone. Yeah, it’s another APT28 post. But tracking Russian threats is my favorite pastime.
So, this past month, the U.S. Department of Justice, alongside the FBI, disrupted a botnet controlled by APT28, also known as Fancy Bear. This Russian state-sponsored group, tied to the GRU’s Unit 26165, had hijacked hundreds of small office/home office routers to run espionage operations. The action, announced on February 15, 2024, targeted a network used for spear-phishing and credential harvesting against U.S. and foreign governments, military, and corporate entities. It’s a solid win, but don’t pop the champagne yet—there’s more to this story.
The botnet ran on Ubiquiti EdgeOS routers infected with Moobot malware, a Mirai variant. Non-GRU cybercriminals originally compromised these devices by exploiting default admin passwords—because who doesn’t love a factory-setting roulette? APT28 then swooped in, repurposing the network with custom scripts and files for their spying gig. They used it to mask traffic, steal credentials, and hit targets of intelligence value to Russia. The DoJ’s move, dubbed “Operation Dying Ember,” kicked APT28 off the botnet and cleaned house.
The operation worked like this: the DoJ leveraged Moobot’s own mechanics to copy and delete stolen data from the routers. They also tweaked firewall rules to block remote management, cutting APT28’s access without breaking the routers’ normal functions. Temporary routing data was collected to spot any GRU counter-moves, but no user content was touched. The FBI and partners like Microsoft and Shadowserver helped execute this, proving teamwork makes the Kremlin’s dreams hurt.
APT28’s targets included the usual suspects—government agencies, defense firms, and security orgs. The botnet, active since at least 2022, supported phishing campaigns and brute-force attacks. The DoJ didn’t say how many U.S. routers got hit, but they confirmed infections across nearly every state. Globally, it’s hundreds of devices, maybe more. This wasn’t APT28’s first botnet rodeo—remember VPNFilter in 2018? Same crew, different toys.
Mitigation’s straightforward but requires action. Router owners need to ditch default passwords, update firmware, and reboot devices to clear lingering malware. The FBI’s still sniffing around for APT28 activity, so report anything shady to them or IC3.gov. Patching those routers is key—otherwise, you’re just begging for round two. The DoJ’s disruption is temporary unless users step up.
This fits APT28’s 2024 playbook—NTLM relay attacks, phishing sprees, and now this botnet mess. They’ve been at it since 2007, with hits like the 2016 DNC hack. The February takedown, led by the National Security Division, marks the third time since 2022 the DoJ’s neutered Russian cyber tools tied to Ukraine tensions. Assistant AG Matthew Olsen called it a “two-for-one” hit, nailing both criminal and state-sponsored actors.
By March 26, 2025, it’s clear APT28 took a punch, but they’re not down for the count. The routers are back to normal-ish, though some owners are still clueless their gear was a Russian pawn. Casual aside: if your router’s still rocking “admin123,” you’re basically rolling out the red carpet for Fancy Bear. The DoJ and FBI deserve a nod for this one—it’s not every day you see the feds outsmart a GRU cyber squad. Still, lock down your tech, folks; APT28’s probably already plotting their next move.