www.theregister.com
Open in
urlscan Pro
104.18.4.22
Public Scan
URL:
https://www.theregister.com/2024/02/15/feds_go_fancy_bear_hunting/
Submission: On February 16 via api from TR — Scanned from DE
Submission: On February 16 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
POST /CBW/custom
<form id="RegCTBWFAC" action="/CBW/custom" class="show_regcf_custom" method="POST">
<h5>Manage Cookie Preferences</h5>
<ul>
<li>
<label>
<input type="checkbox" disabled="disabled" checked="checked" name="necessary" value="necessary">
<strong>Necessary</strong>. <strong>Always active</strong>
</label>
<label for="accordion_necessary" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_necessary">
<p class="accordion_info"> These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="tailored_ads" value="tailored_ads">
<strong>Tailored Advertising</strong>. </label>
<label for="accordion_advertising_tailored_ads" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg"
class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_advertising_tailored_ads">
<p class="accordion_info"> These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers,
and in some cases selecting advertisements that are based on your interests. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics</strong>. </label>
<label for="accordion_analytics" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_analytics">
<p class="accordion_info"> These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our
sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. </p>
</div>
</li>
</ul> See also our <a href="https://www.theregister.com/Profile/cookies/">Cookie policy</a> and <a href="https://www.theregister.com/Profile/privacy/">Privacy policy</a>. <input type="submit" value="Accept Selected" class="reg_btn_primary"
name="accept" id="RegCTBWFBAC">
</form>POST /CBW/all
<form id="RegCTBWFAA" action="/CBW/all" method="POST" class="hide_regcf_custom">
<input type="submit" value="Accept All Cookies" name="accept" class="reg_btn_primary" id="RegCTBWFBAA">
</form>Text Content
Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”. REVIEW AND MANAGE YOUR CONSENT Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer. MANAGE COOKIE PREFERENCES * Necessary. Always active Read more These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. * Tailored Advertising. Read more These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests. * Analytics. Read more These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. See also our Cookie policy and Privacy policy. Customize Settings Sign in / up TOPICS Security SECURITY All SecurityCyber-crimePatchesResearchCSO (X) Off-Prem OFF-PREM All Off-PremEdge + IoTChannelPaaS + IaaSSaaS (X) On-Prem ON-PREM All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector (X) Software SOFTWARE All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization (X) Offbeat OFFBEAT All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us (X) Special Features SPECIAL FEATURES All Special Features Cloud Infrastructure Week Cybersecurity Month Blackhat and DEF CON Sysadmin Month The Reg in Space Emerging Clean Energy Tech Week Spotlight on RSA Energy Efficient Datacenters VENDOR VOICE Vendor Voice VENDOR VOICE All Vendor Voice Amazon Web Services (AWS) Business Transformation Google Cloud Infrastructure Hewlett Packard Enterprise: AI & ML solutions Hewlett Packard Enterprise: Edge-to-Cloud Platform Intel vPro VMware (X) Resources RESOURCES Whitepapers Webinars & Events Newsletters SECURITY 1 FEDS DISMANTLE RUSSIAN GRU BOTNET BUILT ON 1,000-PLUS HOME, SMALL BIZ ROUTERS 1 BEIJING, NOW MOSCOW.… WHO ELSE IS HIDING IN BROADBAND GATEWAYS? Jessica Lyons Thu 15 Feb 2024 // 21:11 UTC The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets. This latest court-authorized takedown happened in January, and involved neutralizing "well over a thousand" home and small business routers that had been infected with the Moobot malware, which is a Mirai variant, according to FBI Director Christopher Wray, speaking at the Munich Cyber Security Conference on Thursday. Moobot can be used to remote-control compromised devices and launch attacks against networks. Non-GRU cybercriminals installed Moobot on Ubiquiti Edge OS routers using publicly known default administrator passwords, we're told. Then the GRU spying team (tracked as APT 28, Forest Blizzard, and Fancy Bear among other names) used Moobot to install their own bespoke scripts and files that repurposed the botnet, thus "turning it into a global cyber espionage platform," according to the Feds. > Russian intelligence services turned to criminal groups to help them target > home and office routers "Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme," opined Attorney General Merrick Garland. "We will continue to disrupt and dismantle the Russian government’s malicious cyber tools that endanger the security of the United States and our allies." The botnet targeted organizations that are of interest to the Russian government, including US and foreign governments and military, security, and corporate organizations. In December Microsoft said the Fancy Bear crew had been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets such as government, defense, and aerospace agencies in the US and Europe, though didn't say if a botnet was used in the attacks. And earlier this week it emerged Kremlin agents had been caught misusing OpenAI's models to generate phishing emails and malicious software scripts. TAKEDOWN According to American prosecutors, the Feds were able to instruct the Moobot botnet to copy and delete malicious files – including the malware itself – and any stolen data on the compromised routers, likely similar to what the DOJ did with the recent Volt Typhoon KV botnet takedown. The FBI said [PDF] the dismantling of the Moobot network also involved modifying the routers' firewall rules to block remote management access to the devices, preventing them from being further hijacked, and "enabled temporary collection of non-content routing information that would expose GRU attempts to thwart" the operation. That is to say, Uncle Sam was able to prevent Russia's use of the botnet by firewalling off remote management access, scrubbed the malware from the routers, and also inspected the Kremlin's handiwork on the infect equipment. All this was carried out with the consent of the owners of infected equipment, we're told. Plus, the Feds said, users can rollback Uncle Sam's firewall rule changes via factory resets, or the routers' web-based user interface, though bear in mind a reset potentially leaves devices open to hijacking again if one doesn't change the admin password from the default. "A factory reset that is not also accompanied by a change of the default administrator password will return the router to its default administrator credentials, leaving the router open to reinfection or similar compromises," the Justice Department warned. * FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet * Fancy Bear goes phishing in US, European high-value networks * OpenAI shuts down China, Russia, Iran, N Korea accounts caught doing naughty things * China's Volt Typhoon spies broke into emergency network of 'large' US city This is the second time in as many months that the Feds claim to have upended a state-sponsored botnet. The first, announced in January, belonged to China's Volt Typhoon, which had abused hundreds of outdated Cisco and Netgear boxes to break into energy facilities, emergency networks and other US critical infrastructure orgs. However, as Google's Mandiant Intelligence chief analyst John Hultquist told The Register, it's likely the Kremlin-backed crew "will be back with a new scheme soon." "As elections loom, it's never been a better time to add friction to GRU operations," he said. Fancy Bear is believed to have been behind intrusions into the US Democratic Party's computers during the 2016 US presidential race, and they have continued to try to disrupt elections ever since. "The hack and leak operations they have carried out may be the most effective cyberattack on elections we've witnessed, and we have no reason to believe they won't replay this tactic again," Hultquist said. ® Get our Tech Resources Share MORE ABOUT * Cybercrime * Russia * Security More like these × MORE ABOUT * Cybercrime * Russia * Security NARROWER TOPICS * 2FA * Advanced persistent threat * Application Delivery Controller * Authentication * BEC * Black Hat * BSides * Bug Bounty * Common Vulnerability Scoring System * Cybersecurity * Cybersecurity and Infrastructure Security Agency * Cybersecurity Information Sharing Act * Data Breach * Data Protection * Data Theft * DDoS * DEF CON * Digital certificate * Encryption * Exploit * Firewall * Hacker * Hacking * Hacktivism * Identity Theft * Incident response * Infosec * Kenna Security * NCSAM * NCSC * Palo Alto Networks * Password * Phishing * Quantum key distribution * Ransomware * Remote Access Trojan * REvil * Roscosmos * RSA Conference * Spamming * Spyware * Surveillance * TLS * Trojan * Trusted Platform Module * Vulnerability * Wannacry * Zero trust BROADER TOPICS * APAC * EMEA * Europe MORE ABOUT Share 1 COMMENTS MORE ABOUT * Cybercrime * Russia * Security More like these × MORE ABOUT * Cybercrime * Russia * Security NARROWER TOPICS * 2FA * Advanced persistent threat * Application Delivery Controller * Authentication * BEC * Black Hat * BSides * Bug Bounty * Common Vulnerability Scoring System * Cybersecurity * Cybersecurity and Infrastructure Security Agency * Cybersecurity Information Sharing Act * Data Breach * Data Protection * Data Theft * DDoS * DEF CON * Digital certificate * Encryption * Exploit * Firewall * Hacker * Hacking * Hacktivism * Identity Theft * Incident response * Infosec * Kenna Security * NCSAM * NCSC * Palo Alto Networks * Password * Phishing * Quantum key distribution * Ransomware * Remote Access Trojan * REvil * Roscosmos * RSA Conference * Spamming * Spyware * Surveillance * TLS * Trojan * Trusted Platform Module * Vulnerability * Wannacry * Zero trust BROADER TOPICS * APAC * EMEA * Europe TIP US OFF Send us news -------------------------------------------------------------------------------- OTHER STORIES YOU MIGHT LIKE MEET VEXTRIO, A NETWORK OF 70K HIJACKED WEBSITES CROOKS USE TO SLING MALWARE, FRAUD Some useful indicators of compromise right here Cyber-crime6 days | 9 IVANTI DEVICES HIT BY WAVE OF EXPLOITS FOR LATEST SECURITY HOLE At this point you might be better off just shutting the stuff down Security10 days | 5 THE SPYWARE BUSINESS IS BOOMING DESPITE GOVERNMENT CRACKDOWNS Updated 'Almost zero data being shared across the industry on this particular threat,' we're told Security9 days | 35 DATABASE MANAGEMENT THE EASY – AND PROFESSIONAL – WAY Let an experienced provider take the seasonal strain on your open source database Sponsored Feature ANYDESK REVOKES SIGNING CERTS, PORTAL PASSWORDS AFTER CROOKS SNEAK INTO SYSTEMS Horse, meet stable door Cyber-crime10 days | 6 CHINA'S VOLT TYPHOON SPIES BROKE INTO EMERGENCY NETWORK OF 'LARGE' US CITY Jeez, not now, Xi. Can't you see we've got an election and Ukraine and Gaza and cost of living and layoffs and ... Security1 day | 7 ALPHV BLACKMAILS CANADIAN PIPELINE AFTER 'STEALING 190GB OF VITAL INFO' Updated Gang still going after critical infrastructure because it's, you know, critical Cyber-crime2 days | 10 UNCLE SAM SWEETENS THE POT WITH $15M BOUNTY ON HIVE RANSOMWARE GANG MEMBERS Honor among thieves about to be put to the test Cyber-crime7 days | 3 CONGRESS TOLD HOW CHINESE GOONS PLAN TO INCITE 'SOCIETAL CHAOS' IN THE US American public is way ahead of them Security15 days | 83 HOW NOT TO WRITE ABOUT NETWORK SECURITY – AND I'M SPEAKING FROM EXPERIENCE Systems Approach At least it's no longer an afterthought Networks15 days | 20 FBI CONFIRMS IT ISSUED REMOTE KILL COMMAND TO BLOW OUT VOLT TYPHOON'S BOTNET Disinfects Cisco and Netgear routers to thwart Chinese critters Security15 days | 43 US SHORTS CHINA'S VOLT TYPHOON CREW TARGETING AMERICA'S CRITICALS Invaders inveigle infrastructure Security16 days | 7 The Register Biting the hand that feeds IT ABOUT US * Contact us * Advertise with us * Who we are OUR WEBSITES * The Next Platform * DevClass * Blocks and Files YOUR PRIVACY * Cookies Policy * Your Consent Options * Privacy Policy * T's & C's Copyright. All rights reserved © 1998–2024