The FBI releases some advice for owners of Ubiquiti EdgeRouters used by Russian state hackers.

The most common way hackers break into systems is through infrastructure or IP addresses. Russian state hackers have been using certain Ubiquiti routers to penetrate unnoticed for several years. The FBI and partners from ten other countries are warning Ubiquiti EdgeRouter owners to check their equipment for suspicious signals and follow some advice. APT28 is the name used to locate the group.

Router as a hiding place

The cheap Ubiquiti EdgeRouters are mainly used in private homes or small offices and run on a version of Linux that can host malware. These routers are the ideal hiding place for Russian hackers who use these devices for malicious activities.

FBI officials wrote in a note Tuesday: “With root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tools and hide their identities while conducting malicious campaigns.”

The routers were used by APT28 to collect credentials and malicious proxy traffic, as well as host fake landing pages and customized post-exploit malware. This is one of several attacks APT28 has carried out in recent years.

Advice for owners

Do you own such routers? Be sure to follow the FBI’s advice below. They recently took down a GRU botnet consisting of such routers. To ensure the long-term success of these disruption efforts, owners should take a few steps.

• Perform a hardware factory reset to remove all malicious files
• Update to the latest firmware version
• Change all default usernames and passwords
• Implement firewall rules to restrict remote access to remote management services

The report also states that APT28 has been using the infected routers since at least 2022 to enable covert operations against governments, militaries and organizations around the world.