Operation Dying Ember - Department Of Justice ("DoJ")

Original Source: DOJ quietly removed Russian malware from routers in US homes and businesses - Ars Technica

@OfclyGoodenough

SUMMARY:

1. More than 1,000 Ubiquiti (“www.ui.com”) routers in homes and small businesses that were running Ubiquiti’s EdgeOS on unchanged default administrative password were affected. They were infected with malware used by Russian-backed agents of the FANCY-BEAR group to coordinate them into a botnet for crime and spy operations

2. The Department of Justice ties the FANCY-BEAR Russian Hacking Group to GRU Military Unit 26165, which is also known as APT 28, Sofacy Group, and Sednit, among other monikers. ntrusion relied on a known malware called Moobotand once infected by “Non-GRU cybercriminals,” GRU agents installed “bespoke scripts and files” to connect and repurpose the devices.

3. The DOJ also used the Moobot malware in response to copy and delete the botnet files and data, according to them, and then of course changed the routers’ firewall rules directly to block remote management access and during the court-sanctioned intrusion, the DOJ “enabled temporary collection of non-content routing information” that would “expose GRU attempts to thwart the operation.” The Department claims this did not “impact the routers’ normal functionality or collect legitimate user content information,”.

SUMMARY:

1. The FBI surreptitiously sent commands to hundreds of infected small office and home office end of life reaching routers - mainly of the Cisco and Netgear brands - to remove malware known as KV Botnet from China state-sponsored hackers group Volt Tycoon used to wage attacks on critical infrastructure.

2. Traffic passing between the hackers and the compromised devices was encrypted using a VPN module KV Botnet installed. From there, the campaign operators connected to the networks of US critical infrastructure organizations to establish posts that could be used in future cyberattacks. This particular arrangement caused traffic to appear as originating from US IP addresses with trustworthy reputations rather than suspicious regions in China.

3. To prevent the devices from being reinfected, the takedown operators issued additional commands that the affidavit said would “interfere with the hackers’ control over the instrumentalities of their crimes (the Target Devices), including by preventing the hackers from easily re-infecting the Target Devices.” according to the DoJ Statement. However, the affidavit also said elsewhere that the prevention measures would be neutralized if the routers were restarted. These devices would then be once again vulnerable to infection. Redactions in the affidavit make the precise means used to prevent re-infections unclear. Portions that weren’t censored, however, indicated the technique involved a loop-back mechanism that prevented the devices from communicating with anyone trying to hack them.

All the while, we have people (paid) to defend Russia and Putin in the US and other medias everyday. We have politicians and candidates that defend Putin at every turn. Compromised no doubt in plain site. Just incredible.