What is Forest Blizzard / APT28?

Forest Blizzard, also known as APT28 or Fancy Bear, is a highly sophisticated cyber espionage group attributed to Russia's military intelligence agency, the GRU. They are known for targeting government, military, and political organizations worldwide to gather intelligence aligned with Russia's strategic interests.

How do I know if my router was part of this botnet?

The FBI's operation automatically removed the malware from compromised devices within the U.S. and implemented firewall rules to prevent reinfection. However, the best practice is to perform a factory reset of your router, update it to the latest firmware, and change the default administrative password to a unique, strong one.

What are OAuth tokens and why are they so valuable to hackers?

OAuth tokens are special access keys that applications use to access your data on other services without needing your password (e.g., a calendar app accessing your Google account). For hackers, stealing these tokens is like stealing a master key. It can allow them to access your accounts, like Microsoft 365, even if you have a strong password and multi-factor authentication (MFA) enabled.

Why are SOHO routers such a common target for nation-state hackers?

Small office/home office (SOHO) routers are attractive targets because they are numerous, often have unpatched security vulnerabilities, and are frequently protected only by weak or default passwords. Compromising them allows attackers to create a large, distributed network of proxies that hides their true location and makes their malicious traffic difficult to trace.

What was the FBI's role in this operation?

The FBI, acting under a court order, conducted a remote technical operation to access the thousands of compromised routers. They copied and deleted the malicious 'Moonglow' malware and added firewall rules to prevent the GRU from regaining control. This proactive measure disrupted the botnet and neutralized the immediate threat.

Feds dismantle sprawling Russian GRU botnet that hijacked 18,000 routers for espionage

A global espionage network, dismantled from the inside

In a significant counterintelligence operation, the U.S. Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) have successfully neutralized a global botnet controlled by one of Russia’s most aggressive military intelligence units. The network, comprising approximately 18,000 compromised networking devices, was operated by the threat group known as Forest Blizzard, which security officials attribute to Russia's Main Intelligence Directorate of the General Staff (GRU), Unit 26165.

The operation, dubbed “Operation Moonglow” by Microsoft, targeted a sophisticated campaign that hijacked traffic from small office/home office (SOHO) routers to steal credentials and authentication tokens for high-value targets. This action represents another move in a proactive strategy by U.S. authorities to actively disrupt foreign state-sponsored cyber infrastructure rather than just defend against it.

The actor and the operation: Forest Blizzard’s Moonglow

Forest Blizzard, also widely known as APT28, Fancy Bear, and Strontium, is a name synonymous with some of the most audacious cyber operations of the last decade, including the 2016 hack of the Democratic National Committee. Their activities consistently align with the strategic interests of the Russian government, focusing on intelligence collection from government, military, and policy organizations worldwide.

According to a DOJ announcement on May 7, 2024, this latest campaign began in 2022. The GRU operators systematically compromised Ubiquiti EdgeRouters that were vulnerable due to unpatched firmware or the use of default administrative credentials. Once compromised, these routers were infected with custom malware that Microsoft has named “Moonglow.”

The infected devices formed a distributed, covert network that served as a proxy layer for Forest Blizzard’s attacks. By routing their malicious traffic through thousands of legitimate, but compromised, SOHO routers in the U.S. and abroad, the GRU operators could effectively mask their origins and make attribution far more difficult for network defenders.

Technical breakdown: Hijacking traffic to steal access tokens

The technical approach used by Forest Blizzard was both elegant and effective. The Moonglow malware was not a blunt instrument like ransomware; it was a precision tool for espionage designed for stealth and persistence.

Its primary function was to reconfigure the router’s networking rules to perform traffic hijacking, a form of on-path or “man-in-the-middle” attack. When a user on a network behind a compromised router attempted to access a legitimate web service, such as Microsoft 365, the Moonglow malware could intercept and redirect that traffic.

The goal was to harvest credentials and, more importantly, authentication tokens. While passwords can be changed, OAuth tokens and session cookies are digital keys that grant access to accounts and services without needing a password. Stealing a valid token can allow an attacker to bypass multi-factor authentication (MFA) entirely, giving them persistent access to a user’s email, cloud storage, and other sensitive data until the token expires or is revoked. Microsoft Threat Intelligence noted that the campaign specifically targeted NTLMv2 hashes and OAuth tokens for Microsoft accounts, which are a gateway to a treasure trove of intelligence for a foreign adversary.

The choice of Ubiquiti EdgeRouters was strategic. These devices are powerful, widely used by small businesses and tech-savvy individuals, but often fall into a management gap—they are more complex than typical consumer routers but frequently lack the dedicated IT oversight found in large enterprises.

Impact assessment: Who was in the crosshairs?

The victims of this credential-harvesting campaign were not random. Forest Blizzard’s targeting reflects the GRU’s intelligence collection priorities. According to U.S. officials and Microsoft, the intended targets included:

Government agencies in the U.S. and Europe
Defense contractors and military organizations
Foreign policy think tanks
Security-focused non-governmental organizations (NGOs)
Educational institutions

By compromising accounts within these entities, the GRU could gain insight into sensitive policy discussions, military planning, and national security research. The disruption of the Moonglow botnet deals a significant blow to this specific intelligence-gathering capability, forcing the GRU to retool and rebuild its infrastructure, which costs time and resources.

A digital exorcism: How the FBI cleaned 18,000 devices

The U.S. government's response was not passive. Operating under a warrant issued by the U.S. District Court for the Southern District of California, the FBI executed a remote operation to neutralize the Moonglow malware on the compromised routers within the United States.

Instead of simply notifying the owners, FBI agents sent commands to the infected devices that deleted the malicious files comprising the Moonglow malware. They also implemented firewall rules to block communication with the GRU’s command-and-control infrastructure, preventing reinfection. This “digital exorcism” is part of a growing trend of court-authorized disruptions, following similar actions against the Volt Typhoon botnet (China) and the Snake malware (Russia’s FSB).

This proactive approach, while effective, underscores the scale of the challenge. The internet’s edge is littered with millions of poorly secured devices that state actors are more than willing to exploit for their own ends.

How to protect your network edge

While the FBI has cleaned many of the infected devices, the vulnerabilities that allowed this botnet to flourish still exist. Owners of SOHO routers and organizations of all sizes must take steps to secure their network perimeter.

For individuals and small businesses

Change Default Credentials: The single most important step. If your router’s admin password is still “admin,” “password,” or the default printed on the sticker, change it immediately to a long, unique passphrase.
Update Firmware: Regularly check for and install firmware updates from the manufacturer. These updates often contain critical security patches for known vulnerabilities. Enable automatic updates if the option is available.
Disable Remote Management: Unless you have a specific need and understand the risks, disable remote administration (access to the router’s settings from the internet). If you must have it, restrict access to specific, trusted IP addresses.
Use Strong Wi-Fi Encryption: Ensure your Wi-Fi network is protected with WPA3 or, at a minimum, WPA2 encryption and a strong password.

For larger organizations

Enforce MFA Everywhere: Ensure that MFA is enabled and enforced for all user accounts, especially for access to cloud services like Microsoft 365. This is the best defense against stolen credentials.
Monitor for Token Abuse: Implement security solutions that can detect anomalous token usage, such as logins from unusual locations or attempts to use a token for activities outside of normal user behavior.
Secure Edge Devices: Treat all network edge devices, including SOHO routers used by remote workers, as part of your security perimeter. Provide employees with secure, pre-configured hardware and establish policies for patching and management. Using a corporate VPN service can also help secure traffic from remote locations.
Network Segmentation: Segment networks to prevent an attacker who compromises one device from moving laterally to access critical systems.

The takedown of the Moonglow botnet is a victory for defenders. But it is also a stark reminder that Russian military intelligence and other state actors are persistently working to turn the building blocks of our internet against us. Securing the edge is no longer optional—it is a front line in a global cyber conflict.