FBI, Justice Department launch multinational cyber takedown of Qakbot botnet

U.S. Justice Department and Federal Bureau of Investigation (FBI) announced Tuesday a multinational operation to disrupt and dismantle the malware and botnet known as Qakbot. The action, which took place in the U.S., France, Germany, the Netherlands, Romania, Latvia, and the U.K., represents one of the largest U.S.-led disruptions of a botnet infrastructure used by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity. 

“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” Christopher Wray, FBI director, said in a statement. “The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”

Beginning on August 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer, the Justice Department disclosed. The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers; instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.

As part of the operation, the FBI gained lawful access to Qakbot’s infrastructure and identified over 700,000 infected computers worldwide, including over 200,000 in the U.S. To disrupt the botnet, the FBI redirected Qakbot traffic to Bureau-controlled servers that instructed infected computers to download an uninstaller file. This uninstaller was created to remove the Qakbot malware, untethered infected computers from the botnet, and prevented the installation of any additional malware. 

“All of this was made possible by the dedicated work of FBI Los Angeles, our Cyber Division at FBI Headquarters, and our partners, both here at home and overseas,” said Wray. “The cyber threat facing our nation is growing more dangerous and complex every day. But our success proves that our own network and our own capabilities are more powerful.”

According to court documents, Qakbot, also known by various other names, including ‘Qbot’ and ‘Pinkslipbot,’ is controlled by a cybercriminal organization and used to target critical industries worldwide. The Qakbot malware primarily infects victim computers through spam email messages containing malicious attachments or hyperlinks. Once it has infected a victim’s computer, Qakbot can deliver additional malware, including ransomware, to the infected computer. 

Additionally, Qakbot has been used as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. The ransomware actors then extort their victims, seeking ransom payments in Bitcoin before returning access to the victim’s computer networks. 

These ransomware groups caused significant harm to businesses, healthcare providers, and government agencies all over the world, including to a power engineering firm based in Illinois; financial services organizations based in Alabama, Kansas, and Maryland; a defense manufacturer based in Maryland; and a food distribution company in Southern California. Investigators have found evidence that, between October 2021 and April 2023, Qakbot administrators received fees corresponding to approximately US$58 million in ransoms paid by victims.

The victim computers infected with Qakbot malware are part of a botnet (a network of compromised computers), meaning the perpetrators can remotely control all the infected computers in a coordinated manner. The owners and operators of the victim computers are typically unaware of the infection.

The Justice Department said that the Qakbot malicious code is being deleted from victim computers, preventing it from doing more harm. It also announced the seizure of approximately $8.6 million in cryptocurrency in illicit profits. The action represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.

“Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law,” Merrick B. Garland, Attorney General, said in a statement. “Together with our international partners, the Justice Department has hacked Qakbot’s infrastructure, launched an aggressive campaign to uninstall the malware from victim computers in the United States and around the world, and seized $8.6 million in extorted funds.”

“The Operation ‘Duck Hunt’ Team utilized their expertise in science and technology, but also relied on their ingenuity and passion to identify and cripple Qakbot, a highly structured and multi-layered bot network that was literally feeding the global cybercrime supply chain,” Donald Alway, assistant director in charge of the FBI’s Los Angeles Field Office, said. “These actions will prevent an untold number of cyberattacks at all levels, from the compromised personal computer to a catastrophic attack on our critical infrastructure.”

The Justice Department said that as a result of this operation, the FBI and the Dutch National Police have identified numerous account credentials that were compromised by the Qakbot actors. “The FBI has provided those credentials to the website Have I Been Pwned, which is a free resource for people to quickly assess whether their access credentials have been compromised in a data breach or other activity. The Dutch National Police have also set up a website that contains information about additional compromised credentials.”

Earlier this year, the DOJ its ‘months-long disruption’ campaign against the Hive ransomware group that has targeted more than 1,500 victims across over 80 countries around the world. The hackers have since 2021 targeted hospitals, school districts, financial firms, and critical infrastructure, and received over $100 million in ransom payments. Europol supported the German, Dutch, and U.S. authorities in disrupting and taking down the infrastructure used by Hive ransomware affiliates, involving law enforcement authorities from a total of 13 countries.

In May, the Justice Department announced the completion of a court-authorized operation, codenamed ‘Medusa’ to disrupt a global peer-to-peer (P2P) network of computers compromised by sophisticated malware called ‘Snake.’ The U.S. Government attributes it to a unit within Center 16 of the Federal Security Service of the Russian Federal Security Service (FSB).

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.