Passthrough: Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations

The FBI, NSA, U.S. Cyber Command, and international partners are releasing this joint Cybersecurity Advisory (CSA) to warn of Russian state-sponsored cyber actors’ use of compromised Ubiquiti EdgeRouters (EdgeRouters) to facilitate malicious cyber operations worldwide. The authoring agencies assess the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), also known as APT28, Fancy Bear, and Forest Blizzard (Strontium), have used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools.

The U.S. Department of Justice, including the FBI, and international partners recently disrupted a GRU botnet consisting of such routers. However, owners of relevant devices should take the remedial actions described in this joint CSA to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises. The full advisory can be accessed at FBI.gov.