Over the past month, U.S. government agencies issued statements accusing a pro-Russian hacking collective known as Fancy Bear of orchestrating a broad campaign to compromise Ubiquiti EdgeRouters for cyber espionage. In an interview with socialbites.ca, Pavel Sitnikov, a Russian hacker and founder of the information security company xPanamas, called these statements blasphemous. He argued that they reflect political theater aimed at securing additional funding for cyber defense from agencies like the NSA and FBI. The broader implication is that these declarations are part of a larger pattern of official cyber rhetoric rather than a precise account of activity by a single threat group.
Background and official statements from US authorities reveal a coordinated emphasis on a network of hundreds of Ubiquiti devices infected with malware that enables actors linked to Russian intelligence to conduct espionage operations in the United States. The U.S. Department of Justice published a notice stating that a malware-laden network of Ubiquiti EdgeRouters had been neutralized, signaling that the intrusions had reached a scale of concern for national security. Separately, the Federal Bureau of Investigation released a document on behalf of the National Security Agency, United States Cyber Command, and international partners, accusing respectively the GRU and Fancy Bear of ongoing intrusions into Ubiquiti EdgeRouters designed to gather intelligence. This alignment among multiple agencies underscores the seriousness with which the U.S. government treats potential cyber threats against critical infrastructure.
Sitnikov described both sets of statements as inconsistent with the full spectrum of available evidence. He noted that cybercriminal networks have long been aware of the presence of compromised Ubiquiti devices infected with the Mobot malware. Mobot is not limited to Fancy Bear, and the group, like many others, has reportedly used compromised Ubiquiti EdgeRouters for a variety of objectives. Sitnikov argued that presenting Fancy Bear as the sole actor in these incidents is a political choice that benefits those seeking to justify heightened cyber spending and defensive measures targeted at a perceived adversary. The assertion also appears to fit within a broader narrative used during busy political periods in the United States as lawmakers and agencies navigate fiscal planning for cyber defense.
According to Sitnikov, access to these routers through the Mobot infection is widely distributed via a service model that has been active since at least late 2022. The footprint is global, and the same compromised devices can be used by different actors for different purposes. He suggested that FBI and NSA officials may favor attributing the activity to Fancy Bear because it supplies a tangible, geopolitical target that justifies more aggressive protective investments. Sitnikov highlighted the timing of the discussions as strategically convenient, especially amid election-related media scrutiny, because it can help secure fresh funding for safeguarding the nation from cybercrime without risking direct interference in the electoral process.
These remarks point to a broader pattern where officials in American security and law enforcement are perceived by some observers as using public narratives to shape perceptions of threat and to secure budgetary support. Sitnikov argued that such profiles of threat actors are often deployed to frame investment decisions and to sustain attention on defense priorities, particularly in the context of evolving digital threats. He emphasized that the reality of the cyber landscape includes a variety of actors who may exploit the same hardware for different ends, rather than a single, clearly defined adversary.
Earlier in the year, highly organized foreign hackers carried out espionage operations aimed at Russia itself, illustrating the reciprocal nature of modern cyber conflict. The incident sequence highlights how cyber espionage can be a tool for geopolitical maneuvering, with each side leveraging digital intrusions to gain strategic advantages. Analysts caution that attribution remains complex and that public statements by government agencies may reflect both technical findings and political considerations.