US officials say they have disrupted a hacking network linked to Russian intelligence services.
They say the hackers – believed to be from the secretive hacking arm of Russia’s Main Intelligence Directorate (better known as the GRU) – gained access to more than 1,000 personal and small business internet routers in the US and around the world.
The hackers then used the infected devices to launch “harvesting campaigns” against targets of “intelligence interest” to the Russian government, according to the US Justice Department.
However, the department says the campaign was disrupted by US officials, including teams from the FBI, who managed to secretly “neutralise” the network by remotely making changes to the infected routers.
US deputy attorney general, Lisa Monaco, said it was the second time in two months that the department had disrupted state-sponsored hackers from launching cyberattacks behind the cover of compromised routers.
“In this case, Russian intelligence services turned to criminal groups to help them target home and office routers,” US attorney general, Merrick Garland, said in a statement about the operation.
“But the Justice Department disabled their scheme. We will continue to disrupt and dismantle the Russian government’s malicious cyber tools that endanger the security of the United States and our allies.”
How did the hack work?
The Justice Department blamed the attack on the Fancy Bear hacking group – also known as APT 28 – which the US alleges is the secretive hacking arm of the GRU, known as Unit 26165.
They say it involved hackers exploiting a certain type of internet router that still uses publicly known default administrator passwords – which in some cases can be as simple as “password”, “0000” or “1111”.
Read more from Sky News:
Donald Trump’s trial date set over hush money case
Parents of US gun violence victims use AI to recreate their voices
After gaining access through the default passwords, the hackers then infected the devices with malware.
Through this, they created what is known as a “Botnet” – a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge.
The Botnet included devices in the US and other parts of the world and was labelled by the US as a “global cyber espionage platform”.
Operation Dying Ember
Armed with a court order, and in an operation named Dying Ember, the FBI in January managed to disable the Botnet by copying and deleting the stolen data before remotely changing the firewall settings of the devices to block further access.
Special agent in charge, Jodi Cohen, of the FBI Boston Field Office, said: “Operation Dying Ember was an international effort led by FBI Boston to remediate over a thousand compromised routers belonging to unsuspecting victims here in the United States, and around the world that were targeted by malicious, nation state actors in Russia to facilitate their strategic intelligence collection.
“This operation should make it crystal clear to our adversaries that we will not allow anyone to exploit our technology and networks.”
The FBI has urged all victims to perform a hardware factory reset to flush the file systems of malicious files and upgrade to the latest firmware version, as well as change any default usernames and passwords and implement strategic firewall rules.