US Dept of Justice used existing router malware to quietly purge a Russia-backed 'vast spearphishing' botnet from devices in peoples' homes

3D illustration of a grid of black cpus with different IoT symbols, representing a botnet concept
(Image credit: BeeBright via Getty Images)

There aren't many stories in the world of technology that could easily make it as a plot for a tense spy-thriller movie, but this one sure has all the right hallmarks for one. Last month, the US Justice Department carried out an authorised operation in which it neutralised a botnet, comprising hundreds of routers in homes and offices, that was used to carry out spearphishing and other credentials stealing. And it was achieved by using the very same malware as that by the botnet itself.

As reported by Ars Technica, the network was created by the officially titled GRU Military Unit 26165 (also known by the names Forest Blizzard, Fancy Bear, Sednit, and others), a state-sponsored hacking group that reported has direct ties to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU, for short).

But rather than using its own malware, or anything developed by the GRU, the group used a piece of malware called Moobot that's been used before to insecure routers. In this instance, it infected the operating system on certain Ubiquiti Edge routers that were still using the default, publicly-known admin passwords

Once up and running, the group could then use the network to scrape all kinds of information passing through the routers. While the number of infected routers was relatively small, around a thousand or so, it was more than enough to create an effective botnet that was invasive enough to warrant direct intervention by the FBI and DoJ.

To counter it, the DoJ cleverly used the same malware to hack back into the routers, copy and delete any stolen data, as well as remove the malicious scripts, and alter the routers’ firewalls to prevent any further remote management of them. To coin a simple phrase, it hacked the hack.

Your next machine

Gaming PC group shot

(Image credit: Future)

Best gaming PC: The top pre-built machines.
Best gaming laptop: Great devices for mobile gaming.

As one can't always rely on the authorities to prevent one's router from being used for criminal activities, there are simple steps that anyone running a small business or office from home can follow.

Start by resetting the router back to its factory default settings (which will clear anything stored on it), then update it to the latest firmware version, followed by changing all of the default usernames and passwords, and then finally use its firewall to block any remote management access.

It can be quite hard to tell if your router is infected with malware or not, but the above actions will certainly help to nip that in the bud. What are you waiting for?

Nick Evanson
Hardware Writer

Nick, gaming, and computers all first met in 1981, with the love affair starting on a Sinclair ZX81 in kit form and a book on ZX Basic. He ended up becoming a physics and IT teacher, but by the late 1990s decided it was time to cut his teeth writing for a long defunct UK tech site. He went on to do the same at Madonion, helping to write the help files for 3DMark and PCMark. After a short stint working at Beyond3D.com, Nick joined Futuremark (MadOnion rebranded) full-time, as editor-in-chief for its gaming and hardware section, YouGamers. After the site shutdown, he became an engineering and computing lecturer for many years, but missed the writing bug. Cue four years at TechSpot.com and over 100 long articles on anything and everything. He freely admits to being far too obsessed with GPUs and open world grindy RPGs, but who isn't these days?