Russian Hackers Use Compromised EdgeRouters In Global Cyber Attacks

Giulio Saggin
Giulio Saggin
Thursday 29 February 2024
Russian Hackers Use Compromised EdgeRouters In Global Cyber Attacks
Grzegorz Walczak / Unsplash

US and international law enforcement agencies have released a joint cybersecurity advisory (CSA) warning of Russian state-sponsored cyber actors’ using compromised Ubiquiti EdgeRouters in cyber attacks worldwide.

The coalition of agencies, including the FBI, NSA, US Cyber Command, and agencies from, among others, the UK, Germany, Brazil and Norway, assessed that Russian-backed APT28, aka Fancy Bear, and Forest Blizzard (Strontium), used EdgeRouters to gather credentials, collect NTLMv2 digests and proxy network traffic. The routers have also been used to host spear-phishing landing pages and custom tools targeting the likes of governments, militaries, and organisations around the world.

Industries, such as Aerospace & Defense, Education, Energy & Utilities, Hospitality, Manufacturing, Oil & Gas, Technology, and Transportation, have been targeted, along with individuals in Ukraine.

"As far back as early as 2022, APT28 actors had used compromised EdgeRouters for covert cyber attacks," stated the advisory, and in January this year, an APT28 botnet consisting hundreds of routers was neutralised by a court-authorised operation.

Routers using default administrator passwords were targeted using Moobot malware.

"Hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform," stated the US Department of Justice.

EdgeRouter users are urged to apply immediately the recommendations in the Mitigations section of the CSA - HERE - to reduce the likelihood of any APT28 attacks.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203