The U.S. government announced on Thursday that it has successfully disrupted a botnet made up of hundreds of small office and home office (SOHO) routers. The botnet was being used by the Russia-linked APT28 actor to hide its malicious activities.
“These crimes included vast spear-phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations,” the U.S. Department of Justice (DoJ) said in a statement.
APT28, also known under various other names, is believed to be linked to Unit 26165 of Russia’s Main Directorate of the General Staff (GRU) and has been active since at least 2007.
Court documents allege that the attackers compromised routers made by Ubiquiti to form a botnet and carried out cyber espionage campaigns.
The botnet, the DoJ said, allowed the threat actors to conceal their location, harvest credentials, and NT LAN Manager (NTLM) v2 hashes, as well as host spear-phishing landing pages and custom tooling for malicious activities.