US Gov Dismantled The Moobot Botnet Controlled by Russia-Linked APT28

In January 2024, a court-authorized operation was able to take down Moobot Botnet, a network of hundreds of small office/home office (SOHO) routers under the control of the Russia-linked group APT28. This court order enabled law enforcement to use the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. Furthermore, authorities were able to block access to the routers by the Russian actors, reversibly modifying the routers’ firewall rules to prevent remote management access to the devices. In the process, the U.S. Department of Justice noted that this operation did not disrupt the routers’ normal functionality nor was legitimate user content gathered.

Analyst Comments:
The development comes after the FBI took down KV-Botnet, a sophisticated botnet also compromising of SOHO routers which was employed by Volt Typhoon, a China-linked threat group. The latest takedown indicates efforts made by law enforcement to take down such infrastructure and combat the potential threat posed by nation-state actors like APT28 and Volt Typhoon against U.S. critical infrastructure.