FBI, EU break up major malware network

One of the most notorious bot networks has been crippled. Scores of cybercriminals used Qakbot to infect hundreds of thousands of computers with malware and carry out ransomware attacks across the globe. An international law enforcement and justice coalition took control of the global malware network, removed the malware from infected computers, and seized or froze about US$8.7 million (8 million euros) in related cybercurrency.

Operation Duck Hunt was led the FBI and Justice Department with assistance from Europol, Eurojust, and other partners in France, the United Kingdom, Germany, the Netherlands, Romania and Latvia.

Qakbot was responsible for “tens of millions of dollars in losses through ransomware payments,” noted Martin Estrada, the U.S. Attorney, Los Angeles. During the 18 months of the investigation, Qakbot was used to launch about 40 ransomware attacks netting around $58 million (53.6 million euros).

Estrada said not only does dismantling Qakbot save consumers and victims tens of millions of dollars of losses throughout the world, but the seized funds can be used to pay some money back to victims of the cyberattacks.

‘One of the longest-running botnets ever seen’

Qakbot (aka Qbot or Pinkslipbot) was a far-reaching cybercriminal supply chain, explained FBI Director Christopher Wray.

In 2021, the U.S. Health Department (HHS) detailed the scope of Qakbot including its techniques, major ransomware partners, and attacks on healthcare providers. In a two-week period, one hospital found more than 50 malicious emails trying to distribute Qbot malware. HHS noted an investigation found a compromised third-party vendor was the most likely gateway used to send the phishing emails to hospital email accounts.

“Last year, cybercrooks used this botnet to steal gigabytes of private information from a health provider and later leaked that information on the dark web,” Wray said.

According to Eastrada, “Nearly every sector of the economy has been victimized by Qakbot.”

He and Wray noted victims ranged from a food distribution company and a medical device manufacturer on the west coast, to an engineering firm and a critical infrastructure government contractor in the Midwest, and a defense contractor and financial institutions on the east coast.

Related content: 2023 Cybersecurity Global Threat Report

Europol said Qakbot has been active since at least 2007 and has evolved its tactics and techniques over time. However, the basic attack path involved phishing emails containing malicious links or attachments that infected host computers which then became part of a network of contaminated devices controlled by cybercriminals. These bad actors then stole info and credentials that allowed them access to more valuable networks and data. The ultimate target was disruption and financial gain.

Swift takedown, temporary repreive

Starting on Aug. 25, the international operation took control of more than 50 Qakbot servers and identified more than 700,000 infected computers, including more than 200,000 in the United States. Using the seized infrastructure, the authorities sent out updates that deleted the malware from the infected devices.

The FBI and Dutch National Police (Politie) identified stolen credentials and posted them on the FBI’s Have I been Pwned website and the Politie website for members of the public to see if their credentials were compromised in a related breach or other attack.

Also, the U.S. Justice Department created a webpage of information and resources related to the Qakbot operation, including links and documents for victims.

“[We] infiltrated the botnet servers and redirected their traffic to our own systems to uninstall malware,” Wray explained. “This is the first time we’ve deployed this innovative technique, severing thousands of computers from the botnet and restoring control back to the victims.”

Related content: Webinar: Ransomware preparedness for healthcare

However, despite the unprecedented and swift enforcement action, FBI issued no guarantee the victim computers were now free from other malware, and the crippled Qakbot network or the nextgen replacement, will resurface. It may take a while to infect hundreds of thousands of computers, but the botnet and malware threat is far from removed by this one successful operation.

“The cyberthreat facing our nation is growing more dangerous and complex every day,” Wray confirmed. “But our success proves that our own network and our own capabilities are more powerful.”