US Dept of Justice used existing router malware to quietly purge a Russia-backed 'vast spearphishing' botnet from devices in peoples' homes

3D illustration of a grid of black cpus with different IoT symbols, representing a botnet concept
(Image credit: BeeBright via Getty Images)

There aren't many stories in the world of technology that could easily make it as a plot for a tense spy-thriller movie, but this one sure has all the right hallmarks for one. Last month, the US Justice Department carried out an authorised operation in which it neutralised a botnet, comprising hundreds of routers in homes and offices, that was used to carry out spearphishing and other credentials stealing. And it was achieved by using the very same malware as that by the botnet itself.

As reported by Ars Technica, the network was created by the officially titled GRU Military Unit 26165 (also known by the names Forest Blizzard, Fancy Bear, Sednit, and others), a state-sponsored hacking group that reported has direct ties to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU, for short).

But rather than using its own malware, or anything developed by the GRU, the group used a piece of malware called Moobot that's been used before to insecure routers. In this instance, it infected the operating system on certain Ubiquiti Edge routers that were still using the default, publicly-known admin passwords

Once up and running, the group could then use the network to scrape all kinds of information passing through the routers. While the number of infected routers was relatively small, around a thousand or so, it was more than enough to create an effective botnet that was invasive enough to warrant direct intervention by the FBI and DoJ.

To counter it, the DoJ cleverly used the same malware to hack back into the routers, copy and delete any stolen data, as well as remove the malicious scripts, and alter the routers’ firewalls to prevent any further remote management of them. To coin a simple phrase, it hacked the hack.

Your next machine

Gaming PC group shot

(Image credit: Future)

Best gaming PC: The top pre-built machines.
Best gaming laptop: Great devices for mobile gaming.

As one can't always rely on the authorities to prevent one's router from being used for criminal activities, there are simple steps that anyone running a small business or office from home can follow.

Start by resetting the router back to its factory default settings (which will clear anything stored on it), then update it to the latest firmware version, followed by changing all of the default usernames and passwords, and then finally use its firewall to block any remote management access.

It can be quite hard to tell if your router is infected with malware or not, but the above actions will certainly help to nip that in the bud. What are you waiting for?

Nick Evanson
Hardware Writer

Nick, gaming, and computers all first met in 1981, with the love affair starting on a Sinclair ZX81 in kit form and a book on ZX Basic. He ended up becoming a physics and IT teacher, but by the late 1990s decided it was time to cut his teeth writing for a long defunct UK tech site. He went on to do the same at Madonion, helping to write the help files for 3DMark and PCMark. After a short stint working at Beyond3D.com, Nick joined Futuremark (MadOnion rebranded) full-time, as editor-in-chief for its gaming and hardware section, YouGamers. After the site shutdown, he became an engineering and computing lecturer for many years, but missed the writing bug. Cue four years at TechSpot.com and over 100 long articles on anything and everything. He freely admits to being far too obsessed with GPUs and open world grindy RPGs, but who isn't these days? 

Read more
Three Magikarp Pokémon
The FBI used self-destruct on malware infecting over 4,000 US computers, it's super effective
Netgear Nighthawk XR1000
Netgear says certain router owners should 'download the latest firmware as soon as possible' to patch a critical vulnerability
TP-Link AXE75 Wi-Fi 6E router
US congressman calls again for the government to ban Chinese-made TP-Link routers: 'I would not have that in my home'
A computer screen with program code warning of a detected malware script program. 3d illustration
Second Steam listing this year found hiding 'new and clever' malware. This time through a fake demo link on developer's website
Team Fortress Spy being shocked
An FPS studio pulled its game from Steam after it got caught linking to malware disguised as a demo, but the dev insists it was actually the victim of a labyrinthine conspiracy
The Buffalo RUF3-KEV USB drive on a red-orange gradient
This USB flash drive has a built-in anti-malware system, but I still wouldn't use one I found in a parking lot
Latest in Networking
Netgear Nighthawk XR1000
Netgear says certain router owners should 'download the latest firmware as soon as possible' to patch a critical vulnerability
TP-Link AXE75 Wi-Fi 6E router
US congressman calls again for the government to ban Chinese-made TP-Link routers: 'I would not have that in my home'
An illustration of a silhouetted thief in motion running while carrying a stolen fingerprint. This could represent individuality, identity, privacy concerns, or a concept of personal data being in motion or at risk. The combination of the human form with the unique identifier of a fingerprint offers a visual metaphor for themes such as identity theft, digital security, or the trace we leave behind in a digital age. The overall aesthetic is bold and dynamic, fitting for topics of cybersecurity, personal identity, or discussions about the intersection of humanity and technology.
Hackers hijack over 16,000 TP-Link network devices, creating a big ol' botnet that's absolutely slamming Microsoft Azure accounts
Netgear Nighthawk RS300 Wi-Fi 7 router
Netgear Nighthawk RS300 review
TP-Link Archer GE800 router
US lawmakers believe TP-Link networking products come with an 'unusual degree of vulnerabilities' leaving them vulnerable to hackers
A racing car in F1 2022 game with a cartoon explosion overlayed on top
Today I learned F1 cars can have their engines disabled wirelessly via IP connection
Latest in News
The snazzy red and black HyperX Cloud Alpha wireless headphones float in a teal void. The microphone is attached to the headset.
The best wireless gaming headset is now even better in the Amazon Big Spring Sale, boasting a more than $50 discount
A chip being held up in an Intel fab
Intel is reportedly 'working to finalize commitments from Nvidia' as a foundry partner, suggesting gaming potential for the 18A node
Amazon box
Don't panic! The 'Do Not Send Voice Recordings' option Amazon just removed was only used by 0.03% of customers and they can still have it
Digital generated image of people surrounded by interactive transparent and glowing panels with data. Visualising smart technology, blockchain and artificial intelligence
Now I shall demand the cookies! Proposed new browsing agreement turns the tables and lets users dictate terms to websites
Intel CEO, Pat Gelsinger, with a 18A SRAM test wafer
Former Intel CEO, Pat Gelsinger becomes executive chairman of a 'Technology Platform Connecting the Faith Ecosystem' to work on Christian AI using DeepSeek
Assassin's Creed Shadows immersive mode - Naoe holding a tanto in her hand as two guards fall to the ground behind her.
Assassin's Creed Shadows' first hotfix addresses stability issues and a photo mode crash