Russian hackers using 'compromised' internet routers for cyber operations, US, international law enforcement warn

Law enforcement has warned of Russian cyber actor hacking.

February 28, 2024, 5:36 AM

Federal and international law enforcement are warning of Russian cyber actors using "compromised" internet routers for cyber operations.

Russian state-sponsored hackers are exploiting Ubiquiti EdgeRouters and using their default credentials to break into them, the FBI and its international partners warned in a cyber alert dated Feb. 27.

"The U.S. Department of Justice, including the FBI, and international partners recently disrupted a GRU botnet consisting of such routers," the alert says. "However, owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises."

The FBI says the routers are very popular for consumers and cyber criminals alike.

The Russian cyber actors, who are known collectively as APT28, have exploited various industries, including aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology and transportation, according to officials.

Targeted countries have included Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates and the U.S., the alert said.

It is believed APT28 is the primary Russian group hacking into the routers, but there are other Russian groups as well.

"Additionally, the actors have strategically targeted many individuals in Ukraine," the alert says.

The FBI urges consumers to update the devices as soon as they get them in order to not be compromised.

"Ubiquiti EdgeRouters have a user-friendly, Linux-based operating system that makes them popular for both consumers and malicious cyber actors. EdgeRouters are often shipped with default credentials and limited to no firewall protections to accommodate wireless internet service providers (WISPs). Additionally, EdgeRouters do not automatically update firmware unless a consumer configures them to do so," the alert says.

"In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns."

A Ubiquiti representative didn't immediately respond to a request for comment from ABC News.

Related Topics