Federal law enforcement agency, the FBI, spearheads an operation to thwart a botnet managed by a state-linked entity called Forest Blizzard.
U.S. Disrupts Russian State-Linked Botnet Used for Cyber Attacks
In a significant move to protect critical infrastructure, the Department of Justice has disrupted a botnet controlled by the Russia state-linked threat group Forest Blizzard, also known as Fancy Bear, in a court-ordered operation. The botnet, which used Moobot malware installed on hundreds of vulnerable Ubiquiti Edge OS routers, was employed to conduct spear phishing and credential harvesting attacks in the U.S.
The action marks the second U.S. disruption of a botnet since January, following the disruption of the KV Botnet backed by Volt Typhoon, a threat group linked to the People's Republic of China.
Forest Blizzard, a Russian state-sponsored hacking group, has a long history of cyberattacks targeting government entities, critical infrastructure, political organizations, and security sectors worldwide. The group has been linked to notable activities such as cyber espionage operations against the US Democratic Party, European governments, and during major events like the 2024 Paris Olympics. They have also been involved in attacks on Ukrainian targets, including reconnaissance on civilian bomb shelters before the Mariupol Theatre bombing, and hacking IP cameras to disrupt foreign aid.
The botnet used in the recent operation employed multiple tactics, including password spraying, during its attacks. The impacted routers were still using default passwords, making them vulnerable to attacks. Users can regain normal access to the devices through factory resets.
Researchers at Palo Alto Networks' Unit 42, which tracks the group as Fighting Ursa, said the exploitation activity against Microsoft Exchange servers included attacks on energy production, air transport, and pipelines. The FBI is working with local internet service providers to notify owners and operators of the routers.
While the available search results do not specifically mention "Moobot" malware by name, Forest Blizzard has been linked to a novel malware named Authentic Antics, which affects Microsoft Outlook users by stealing login credentials and OAuth tokens to gain unauthorized access to Microsoft services such as Exchange Online, SharePoint, and OneDrive.
John Hultquist, chief analyst at Mandiant Intelligence, Google Cloud, stated that as the U.S. moves deeper into election season, it's never been a better time to add friction to GRU operations.
| Aspect | Details | |----------------------|------------------------------------------------------------------------------------------------| | Alias: | Forest Blizzard, Fancy Bear, APT28, Unit 26165, Pawn Storm, Sednit, Sofacy | | Affiliation: | Russian GRU military intelligence (Unit 26165) | | Historical targets: | US, Europe, Ukraine (civilian and military), political campaigns, investigations like Skripal | | Notable malware: | Authentic Antics (Outlook/Exchange credential theft), LAMEHUG (AI-powered malware) | | Tactics: | Phishing, credential harvesting, AI-assisted automation, network and hardware reconnaissance | | Recent developments:| Integration of AI/LLMs into malware for dynamic command generation and evasion |
This evidence underscores Forest Blizzard as a persistent, evolving cyber threat actor specifically targeting critical communications infrastructure, including Microsoft Exchange servers, often with stealthy credential stealing and data exfiltration malware. Ukraine cyber officials warned earlier this month that the hackers were stealing credentials of Ukrainian military personnel, indicating the group's continued activity in the region.
- The recent court-ordered operation disrupted a Russian state-linked botnet, Forest Blizzard, known for conducting cyberattacks, which used Moobot malware to spear phish and harvest credentials in the U.S.
- The group, Fancy Bear, has a history of targeting government entities, critical infrastructure, political organizations, and security sectors worldwide, and has been linked to notable activities such as the cyber espionage operations against the US Democratic Party.
- Besides Moobot, Forest Blizzard has been associated with other malware like Authentic Antics, which steals login credentials from Microsoft Outlook users.
- As the election season progresses, researchers and cybersecurity experts emphasize the importance of adding friction to GRU operations to protect critical technology and infrastructure from cyber threats like those posed by Forest Blizzard.
