Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks


Key points

  • Cybercriminals and nation state actors share a common interest in compromised routers that are used as an anonymization layer.
  • Cybercriminals rent out compromised routers to other criminals, and most likely also makes them available to commercial residential proxy providers.
  • Nation-state threat actors like Sandworm used their own dedicated proxy botnets, while APT group Pawn Storm had access to a criminal proxy botnet of Ubiquiti EdgeRouters
  • The EdgeRouter botnet used by Pawn Storm (disrupted by the US FBI in January 2024) goes back to 2016.
  • The botnet also includes other routers and virtual private servers (VPS). After the disruption, the botnet’s operator managed to move over bots to command-and-control (C&C) infrastructure that had been newly set up.
  • On some compromised EdgeRouters, we found activity from two significant cybercriminal groups and one nation-state threat actor (Pawn Storm)
  • It is of paramount importance to secure routers and only expose them to incoming internet connections only when it is critical for the business. We provide advice for network defenders and Small Office/Home Office (SOHO) network administrators to scan their routers for indications of them being used by nation-state threat actors and cybercriminals.

Read more…