Inside of a computer

Countries fear state-sponsored cyberwar

Nation-state actors are changing their cyber tactics: China’s Volt Typhoon and Russia’s GRU are engaged in espionage operations, often infiltrating a company’s routers, but the countries are also prepositioning for a conflict later.

The World

Listen to a related interview on The World with Dina Temple-Raston, host of the “Click Here” podcast, by clicking the audio player above.

The US and partners around the world ousted Russian government hackers from a network of more than 1,000 home and small business routers, FBI Director Christopher Wray said on Thursday.

The law enforcement action, dubbed Operation Dying Ember, has not been previously announced.

“Working with US and worldwide law enforcement partners, we ran a court-authorized technical operation that knocked the Russian GRU [Main Intelligence Directorate] off well over 1,000 home and small business routers,” Wray told an audience at the Munich Cyber Security Conference in Germany.

“And [we] locked the door behind them, killing their access to a botnet they were using to run cyber operations around the world.”

In a subsequent announcement, the Department of Justice on Thursday said the operation in January neutralized routers “used to conceal and otherwise enable a variety of crimes.”

“These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as US and foreign governments and military, security, and corporate organizations,” the agency said.

The nature of the botnet differed from Russian government networks the FBI has disrupted in the past in that the GRU did not create it on its own, the agency said. Instead, the operation relied on “non-GRU cybercriminals” to install Moobot malware on Ubiquiti Edge OS routers using default administrator passwords, DOJ officials said.

“GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber-espionage platform,” the agency said.

In the operation, the Mirai-based Moobot malware was leveraged “to copy and delete stolen and malicious data and files from compromised routers.” To “neutralize” GRU access, the FBI and its partners modified the routers’ firewall rules to block remote management access.

Eyes on China

The announcement of the new takedown comes amid a broader survey of a number of successful cyber operations the US has launched alongside partners in the past few years.

“The good news is that we’ve learned what success can look like, we’ve lived it,” Wray said. “For the past several years, the bureau has been laser-focused on leading joint sequenced operations with our partners.”

The bad news, he said, is that while the bureau has improved at launching coordinated operations against cyber adversaries, “the world has become more dangerous than ever and chief among those adversaries is the Chinese government.”

He reiterated previous comments about how the cyber threat posed by the Chinese government is “massive,” adding that their “hacking program is larger than that of every other major nation combined and that size advantage is only magnified because the PRC uses AI, built in large part on stolen innovation and stolen data, to improve its hacking operations.”

The Chinese Communist Party is bullying nations it sees as adversaries or detractors, Wray said. Cross China, and “you might find your companies harassed and hacked by a web of PRC proxies.”

Wray’s decision to take aim at China’s cyber operations so publicly comes just a week after the US announced that hackers tied to the Chinese government were targeting US critical infrastructure by pre-positioning themselves with offensive cyber weapons in key US networks like telecommunications, water and aviation.

“These days it has reached something closer to a fever pitch,” Wray said of the Chinese operations. “What we’re seeing now is China’s increasing build-out of offensive weapons within our critical infrastructure poised to attack whenever Beijing decides is right.”

James Reddick contributed to this story.

An earlier version of this story was published at The Record.

Invest in independent global news

The World is an independent newsroom. We’re not funded by billionaires; instead, we rely on readers and listeners like you. As a listener, you’re a crucial part of our team and our global community. Your support is vital to running our nonprofit newsroom, and we can’t do this work without you. Will you support The World with a gift today? Donations made between now and Dec. 31 will be matched 1:1. Thanks for investing in our work!