The Scheme: Someone Else's Crime as a GRU Tool
The attack did not begin with GRU. First, ordinary cybercriminals infected Ubiquiti EdgeOS routers with malicious software Moobot — through trivial factory passwords that owners simply failed to change. Then GRU Military Unit 26165, also known as APT28, Fancy Bear, or Forest Blizzard, entered the game: hackers intercepted already-infected devices and embedded their own scripts, transforming the botnet into a global spying platform.
As the U.S. Department of Justice explained, "GRU hackers used Moobot to install their own scripts and files that repurposed the botnet into a global cyber intelligence platform." This method allowed them to mask the real IP addresses of operators and redirect malicious traffic through routers in residential homes and small offices.
What Was Stolen and Where
The FBI discovered a broad arsenal of APT28 tools on compromised devices: Python scripts for collecting email credentials, programs for intercepting NTLMv2 hashes, and custom routing rules that redirected phishing traffic to specialized attack infrastructure.
The targets were governments, military structures, and corporations in at least 11 countries: Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, UAE, and the United States. According to a joint alert from the FBI, NSA, and U.S. Cyber Command, the attacks lasted at least since 2022.
"We are evicting GRU from over a thousand home and office routers and closing the door behind them — killing GRU's access to the botnet they used for cyberattacks against countries around the world."
FBI Director Christopher Wray, Munich Security Conference, February 15, 2024
Operation Dying Ember: How the FBI Entered Your Router to Expel GRU
As part of the court-authorized Operation Dying Ember, FBI agents remotely accessed infected devices and used Moobot itself to delete stolen data and malicious files. Then they deleted Moobot itself and blocked remote access channels. The operation was conducted jointly by the FBI, U.S. Department of Justice, Microsoft, and Shadowserver Foundation with the participation of the SBU and law enforcement from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom.
A critical nuance: rebooting an infected router does not remove the malicious software. According to FBI recommendations, owners must perform a complete factory reset and update the firmware — most have yet to do this.
Civilian Infrastructure as a Battlefield
This operation is not the first such case. In 2022, following Russia's full-scale invasion of Ukraine, the FBI dismantled another botnet belonging to a different GRU unit — Sandworm (Operation Cyclops Blink). The pattern repeats: GRU does not build its own infrastructure from scratch but parasitizes on devices already compromised by criminal hackers belonging to ordinary people.
Researchers from the Oxford Internet Institute describe this tactic as "blurring the boundary between military and civilian infrastructure": the state uses criminal tools to hide among millions of legitimate users — and complicate attribution of attacks in court or at the diplomatic level.
- Over 1,000 routers in over 10 countries — confirmed scale of the botnet at the time of dismantling
- Ubiquiti EdgeOS — primary target: devices do not update automatically and are widely used by small businesses
- Factory password — initial entry point in most documented cases
- APT28 active since 2007 — attacks on governments, armies, and corporations worldwide
If GRU applies this scheme again — and past precedents show they return with modified tools — the question is whether router manufacturers and regulators will have time to implement mandatory factory password changes before the next round: as long as Ubiquiti and similar brands do not transition to forced personalization of settings "out of the box," millions of devices remain open doors for the next operation.
