Qakbot forced offline, but history suggests it probably won’t be forever
Operation Duck Hunt was one of the largest of its kind but similar attempts in the past have struggled to achieve long-lasting success
The Federal Bureau of Investigation (FBI) has announced the successful takedown of the Qakbot botnet, an international malware operation that had run for over a decade.
Through a joint international effort known as Operation Duck Hunt, law enforcement agencies severely disrupted the Qakbot operations and recovered thousands of affected devices by wiping Qakbot malware.
Law enforcement gained access to Qakbot’s infrastructure via lawful means and set about identifying the scale of the malware operation. The FBI found evidence of at least 700,000 affected devices total, with 200,000 of these based within the US.
In order to execute Operation Duck Hunt, the FBI collaborated with international partners in the US and UK, France, Germany, Latvia, the Netherlands, and Romania.
The UK National Crime Agency (NCA) and the US’ Cybersecurity and Infrastructure Security Agency (CISA) played pivotal roles.
In the UK, the NCA temporarily shut down Qakbot’s servers, and further activity on the part of international law enforcement agencies ensured that Qakbot contributors could not access servers while the FBI was taking control of the threat group’s infrastructure.
Law enforcement also partnered with a number of organizations to notify Qakbot victims and begin the remediation process, including Zscaler, Microsoft Digital Crimes Unit, Shadowserver, and credential theft-checking website Have I Been Pwned.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
“The FBI led a worldwide joint, sequenced operation that crippled one of the longest-running cyber criminal botnets,” said Christopher Wray, director at the FBI.
“With our federal and international partners, we will continue to systematically target every part of cyber criminal organizations, their facilitators, and their money – including by disrupting and dismantling their ability to use illicit infrastructure to attack us.
Learn how to use threat intelligence to fight ransomware attacks.
DOWNLOAD FOR FREE
“Today’s success is yet another demonstration of how FBI’s capabilities and strategy are hitting cyber criminals hard, and making the American people safer.”
The permanence of the latest disruption to Qakbot remains to be established. Looking at similar cases from recent years would suggest that there is a good chance Qakbot may return to some degree later down the line.
A joint operation to take down Trickbot took place in 2020 but the botnet returned less than a year later with a new strain that could establish greater persistence.
Similarly, Emotet is arguably the most well-known botnet of the modern era and attempts to dismantle it also proved to be merely temporary.
The efforts to bring down Emotet were led by Europol in 2020 and 2021 but even when the takedown was announced, experts at the time were skeptical about whether the botnet was shuttered for good.
See why your peers are looking to AI and machine learning to transform their cyber security processes.
DOWNLOAD FOR FREE
Again, less than a year after the takedown, the botnet returned and its infrastructure spread rapidly.
Over the course of the following year, and after a four-month break, Emotet re-established itself as one of the most pervasive malware strains in the cyber security landscape, attacking hundreds of thousands of users every day.
“This was a major step for the FBI and Justice Department to take and I certainly think it will have a significant impact on the threat actors behind Qakbot,” said Max Gannon, senior cyber threat intelligence analyst at Cofense.
“While this action was able to protect a huge number of victims that were already infected, it was not paired with arrests which are what most often leads to threat actors ceasing or at least temporarily halting operations.
“Because it was not paired with arrests I do not believe this will be the end of Qakbot or at the very least it won't be the end of the threat actors behind Qakbot. Because of the huge blow to the botnet's infrastructure, I expect that the threat actors will either take a very long time to return or they will pivot to other existing botnet projects."
What is Qakbot and how has it been taken offline?
Qakbot, also known as Pinkslipbot, has been a particular thorn in the side of security teams for many years. Believed to have origins in Russia with the operators GOLD LAGOON, the malware began as a Trojan operation and was first detected in the late 2000s affecting banking systems.
In the years since, the malware has evolved and become a dynamic threat to enterprises, becoming known for its lateral attack capabilities and for always reemerging. Ransomware operators such as REvil and LockBit have used Qakbot to spread their respective strains.
The main infection vector for Qakbot is email phishing, which is still the most common way for attacks to start out, after which point it can deploy a range of malicious programs.
“Qakbot is especially tricky: It is a multipurpose malware, akin to a Swiss army knife,” wrote Check Point Software in 2020.
“It allows cyber criminals to directly steal data - credentials to financial accounts, payment cards, etc. – from PCs, while also serving as an initial access platform to infect victims’ networks with additional malware and ransomware.”
Learn how endpoint management and endpoint security are converging, and what's influencing security strategies moving forward.
DOWNLOAD FOR FREE
In 2021, SOS Intelligence found that infected Microsoft Exchange Servers were distributing Qakbot as a loader for ransomware payloads.
Botnets are automated networks used to automate tasks or the distribution of software. They are widely by threat actors for malicious activity, in the form of vast networks made up of infected devices that spread malware to further devices. Victims often do not know that they have even been compromised.
Through Operation Duck Hunt, the FBI gained access to Qakbot infrastructure and rerouted traffic to specialized FBI servers.
This effectively replaced the command and control (C2) servers within the botnet, used to send malicious instructions to all other instances of Qakbot, and prevented threat actors from regaining C2 control.
The FBI then distributed a custom payload via these seized instances to infected devices across the international botnet, which contained the code for a tool used to permanently delete Qakbot malware.
In addition to uninstalling Qakbot from affected devices, the tool also acted as a final instruction from the C2 and subsequently disconnected devices from the botnet altogether. It is hoped that this will set Qakbot operatives back to square one.
A similar tool named PERSEUS was recently used by the NSA, FBI, and CISA to take down the Russian-linked Snake malware operation.
Disassembling botnets can take months or even years, as their scale and complexity necessitate the cooperation of dozens of international agencies. If the FBI had been unable to rely on UK and European partners to shut down regional Qakbot instances, Operation Duck Hunt may have failed entirely.
Unlike some ethical hackers, law enforcement agencies cannot gain illegal access to a victim’s device - they require specific warrants.
The US Department of Justice (DoJ) stated that $8.6 million in illegitimate profits had been seized through the campaign, of a total $58 million paid by victims since October 2021.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.