In January 2024, the FBI executed a court-authorized operation to neutralize a massive botnet run by Russia’s GRU intelligence agency, embedded in hundreds of everyday routers across homes and small offices in the United States and abroad.
The operation, announced in a Department of Justice press release, targeted APT28-also known as Fancy Bear-and marked a rare move: disabling foreign military infrastructure operating within domestic U.S. devices.
This wasn’t just cybercrime. It was cyber espionage using criminal tools, aimed at long-term surveillance and credential theft.
"The GRU relied on Moobot malware, deployed by cybercriminals, to build its espionage platform."
🦠 Criminal Malware Repurposed for State Espionage
Unlike previous GRU malware efforts, this botnet didn’t begin inside Russian intelligence.
It started as a common Moobot malware infection-used by cybercriminals to hijack vulnerable Ubiquiti Edge OS routers.
GRU’s Military Unit 26165 then infiltrated this existing network and installed its own custom scripts, transforming it into a covert intelligence collection grid.
The infected routers were used to:
-
Harvest credentials from foreign governments, militaries, and corporations
-
Disguise spearphishing and cyberattacks
-
Provide relay points to mask the GRU’s true infrastructure
"The GRU turned to criminal networks to hide in plain sight."
🔧 Operation Dying Ember: The FBI Fights Back
Working with a court order, FBI cyber teams leveraged the Moobot malware itself to:
-
Delete malicious files and GRU payloads from compromised routers
-
Reconfigure firewalls to block remote GRU access
-
Temporarily monitor routing data to detect countermeasures by Russian operatives
Dubbed "Operation Dying Ember," the effort focused on both U.S. and international victims, with over a thousand routers disrupted.
The actions were reversible by users, and did not collect content-only enough to lock out GRU access while owners were notified.
"This was a two-for-one strike: against cybercriminals and foreign intelligence."
🛡️ Strategic Legal and Technical Power
Federal officials emphasized the combined legal and technological strategy behind the takedown:
-
Attorney General Merrick Garland called it a warning shot to Moscow
-
Deputy AG Lisa Monaco confirmed this was the second GRU disruption in two months
-
FBI Director Christopher Wray said this proved Russian intelligence "cannot hide behind American infrastructure"
The operation was led by FBI field offices in Boston and Philadelphia, supported by the DOJ’s National Security Cyber Section, Microsoft, and the Shadowserver Foundation.
"We’re stripping Russian intelligence of its digital weapons-one router at a time."
⚠️ Router Owners Still at Risk
The Justice Department stressed that although the botnet was disrupted, the vulnerabilities remain.
To protect devices, the FBI urges:
-
Factory resets of routers to clear file systems
-
Firmware updates
-
Changing default admin passwords
-
Blocking remote management unless explicitly required
Routers left exposed could be re-compromised by either criminal actors or foreign governments.
The report warns that many users still haven’t changed default passwords, making them permanent targets for exploits.
"Your home router is now a battleground in global espionage."
🧾 Cyber Espionage Meets Cyber Crime
This operation underscores a disturbing trend: nation-state actors leveraging the tools of cybercriminals, hijacking their malware, and burrowing into civilian infrastructure.
By turning small office routers into covert spy nodes, the GRU blurred the lines between military and civilian, crime and war.
The DOJ’s takedown was a technical win.
But the battlefield remains open.
