A court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes.
According to Arstechnica, APT28 has been using the infected routers since at least 2022 to facilitate covert operations against governments, militaries, and organizations around the world, including in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates, and the US. Besides government bodies, industries targeted include aerospace and defense, education, energy and utilities, hospitality, manufacturing, oil and gas, retail, technology, and transportation. APT28 has also targeted individuals in Ukraine.
To better protect themselves, the U.S. FBI advises all victims to conduct the following remediation steps:
- Perform a hardware factory reset to flush the file systems of malicious files
- Upgrade to the latest firmware version
- Change any default usernames and passwords
- Implement strategic firewall rules to prevent the unwanted exposure of remote management services.
The FBI strongly encourages router owners to avoid exposing their devices to the internet until they change the default passwords.
So this applies only to routers that still have default passwords? Otherwise how could hackers gain access?
To answer my own question: apparently it does only apply to routers with default passwords. From Ubiquiti’s forum…