US and partners kicked Russian GRU hackers out of routers, FBI says

MUNICH, GERMANY — The U.S. and partners around the world ousted Russian government hackers from a network of more than 1,000 home and small business routers, FBI Director Christopher Wray said on Thursday.

The law enforcement action, dubbed Operation Dying Ember, has not been previously announced.

“Working with U.S. and worldwide law enforcement partners we ran a court authorized technical operation that knocked the Russian GRU [Main Intelligence Directorate] off well over 1,000 home and small business routers,” Wray told an audience at the Munich Cyber Security Conference in Germany.

“And [we] locked the door behind them, killing their access to a botnet they were using to run cyber operations around the world.”

In a subsequent announcement, the Department of Justice on Thursday said the operation in January neutralized routers “used to conceal and otherwise enable a variety of crimes.”

“These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations,” the agency said.

The nature of the botnet differed from Russian government networks the FBI has disrupted in the past in that the GRU did not create it on its own, the agency said. Instead, the operation relied on “non-GRU cybercriminals” to install Moobot malware on Ubiquiti Edge OS routers using default administrator passwords, DOJ officials said.

“GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the agency said.

In the operation, the Mirai-based Moobot malware was leveraged “to copy and delete stolen and malicious data and files from compromised routers.” To “neutralize” GRU access, the FBI and its partners modified the routers’ firewall rules to block remote management access.

Eyes on China

The announcement of the new takedown comes amid a broader survey of a number of successful cyber operations the U.S. has launched alongside partners in the past few years.

“The good news is that we’ve learned what success can look like, we’ve lived it,” Wray said. “For the past several years the bureau has been laser focused on leading joint sequenced operations with our partners.”

The bad news, he said, is that while the bureau has improved at launching coordinated operations against cyber adversaries, “the world has become more dangerous than ever and chief among those adversaries is the Chinese government.”

He reiterated previous comments about how the cyber threat posed by the Chinese government is “massive,” adding that their “hacking program is larger than that of every other major nation combined and that size advantage is only magnified because the PRC uses AI, built in large part on stolen innovation and stolen data, to improve its hacking operations.”

The Chinese Communist Party is bullying nations it sees as adversaries or detractors, Wray said. Cross China, and “you might find your companies harassed and hacked by a web of PRC proxies.”

Wray’s decision to take aim at China’s cyber operations so publicly comes just a week after the U.S. announced that hackers tied to the Chinese government were targeting U.S. critical infrastructure by pre-positioning themselves with offensive cyber weapons in key U.S. networks like telecommunications,water and aviation.

“These days it has reached something closer to a fever pitch,” Wray said of the Chinese operations. “What we’re seeing now is China’s increasing build-out of offensive weapons within our critical infrastructure poised to attack whenever Beijing decides is right.”

James Reddick contributed to this story.

READ MORE: Munich Cyber Security Conference 2024 Live Updates