In a joint operation known as “Duck Hunt,” law enforcement agencies, including the US Department of Justice (DoJ) and the FBI, teamed up with several countries to take down the infrastructure supporting the notorious Qakbot malware. Qakbot, also known as Qbot, is a widely used tool among cybercriminals that infects computers through malicious email attachments. Once a machine is compromised, it becomes part of a botnet network, ready to execute further instructions from its operators.
Since its emergence as a banking Trojan in 2007, Qakbot has evolved into a key player in the initial access broker market on the Dark Web. Its operators rent access to their network of compromised machines to other cybercriminals, enabling various malicious campaigns, including ransomware, cryptominers, and spyware.
The coordinated international effort successfully identified and accessed over 700,000 Qakbot-infected computers worldwide, with more than 200,000 in the United States alone. To disrupt the botnet, the FBI redirected Qakbot traffic to their own servers, instructing infected computers to download an uninstaller file. This file severed the connection between the infected machines and the botnet, preventing the installation of additional malware.
The proactive approach of redirecting exploited nodes to a safer server for cleanup is becoming more common in law enforcement operations. Earlier this year, the FBI used a custom tool called Perseus in “Operation Medusa” to disable the Snake malware on compromised computers. The tool issued commands that caused the malware to overwrite its own vital components, all done with a search warrant authorizing remote access.
While some may view this proactive cleanup as controversial, it has proven effective in reducing the impact on victims and preventing further infections. Roger Grimes, a data-driven defense evangelist, praised the risk taken in these operations, stating that it improves the security of both exploited individuals and organizations.
The DoJ considers this takedown operation as one of the largest disruptions of a botnet infrastructure. According to FBI Director Christopher Wray, the victims ranged from financial institutions to critical infrastructure contractors and medical device manufacturers.
However, experience with similar takedowns of Qakbot’s counterparts, Trickbot and Emotet, suggests that the long-term impact on the cyber-underground may not be significant. Chester Wisniewski, a field CTO at Sophos, notes that while these disruptions impose inconveniences on botnet operators, they quickly reconstitute their networks to continue profiting from security failures. To truly disable their operations, efforts must be made to identify those responsible and hold them accountable.
Mandiant researchers highlight the ethical responsibility to disrupt cybercrime partnerships, particularly those involving ransomware and adversarial nation-states like Russia or North Korea. Despite the resilience of these operations, disrupting them whenever possible is crucial. However, Sandra Joyce, vice president of Mandiant Intelligence – Google Cloud, acknowledges that the underlying business models of these operations are solid, and the problem will persist, necessitating ongoing efforts to combat them.
From a practical perspective, Kimberly Goody, Mandiant senior manager for financial analysis, predicts short-term fractures within the criminal ecosystem as a result of the Qakbot takedown. This may give rise to new partnerships and varied initial access tactics that defenders need to monitor closely.
In conclusion, the takedown of the Qakbot infrastructure represents a significant blow to the cybercriminal landscape. While the impact may have short-term effects and the malware may resurface in the future, law enforcement agencies worldwide have sent a strong message that they will continue to disrupt these operations and hold cybercriminals accountable. The cooperation between countries in this operation demonstrates the international commitment to combating cyber threats and protecting individuals, businesses, and critical infrastructure from malicious activities.