A Russian state-backed cyberespionage group is using compromised Ubiquiti EdgeRouters to facilitate malicious cyber operations worldwide, according to a joint alert authored by cybersecurity and intelligence entities from eleven nations.

The warning comes nearly two weeks after the US authorities dismantled the notorious Moobot botnet comprising thousands of Ubiquiti Edge OS routers used by the Russian GRU-affiliated hacker group known as APT28, Fancy Bear or Forrest Blizzard (Strontium) to conduct their cyberespionage operations.

The court-authorized operation used the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. It also reversibly modified the routers’ firewall rules to block remote management access to the devices, and enabled the temporary collection of non-content routing information that would expose GRU attempts to thwart the operation. Previously, Moobot, which is a Mirai variant, was observed targeting vulnerable D-Link routers using a mix of exploits.

According to the alert, APT28 has used compromised EdgeRouters to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools.

Since at least 2022, the group has used the botnet of hacked devices to conduct operations targeting government and military entities, and organizations around the world. These operations have targeted various industries, including aerospace and defense, education, energy and utilities, hospitality, manufacturing, oil and gas, retail, technology, and transportation. Targeted countries include the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates, and the US.

APT28 actors developed custom Python scripts to collect account credentials for specifically targeted webmail users. The threat actor uploaded these custom Python scripts to a subset of compromised Ubiquiti routers to validate stolen webmail account credentials collected via cross-site scripting and browser-in-the-browser spear-phishing campaigns.

The group has also been observed exploiting the Net-NTLMv2 hash leak (CVE-2023-23397) in Microsoft Outlook to collect NTLMv2 digests from targeted Outlook accounts.

“Given the global popularity of EdgeRouters, the FBI and its international partners urge EdgeRouter network defenders and users to apply immediately the recommendations ... to reduce the likelihood and impact of cybersecurity incidents associated with APT28 activity,” the agencies advised.

The mitigations include performing a hardware factory reset to flush file systems of malicious files, upgrading to the latest firmware version, changing any default usernames and passwords, and implementing strategic firewall rules on WAN-side interfaces to prevent the unwanted exposure of remote management services.

Earlier this week, Western cybersecurity officials cautioned that the Russian cyber espionage group APT29 is evolving its methods to infiltrate organizations that have migrated to cloud-based infrastructures.