Operation Duck Hunt Seizes 52 Servers, Over $8.6 Million in Cryptocurrency
In a groundbreaking achievement that marks a significant win for global cybersecurity, the FBI, leading a multinational law enforcement coalition, has dismantled QakBot, a notorious malware loader heavily exploited by cybercriminals.
Inside Operation Duck Hunt
Code-named “Operation Duck Hunt,” the FBI gained privileged access to the administrative systems of QakBot, mapping its complex server architecture. The operation led to the seizure of 52 servers, effectively crippling the botnet infrastructure and redirecting its traffic to FBI-controlled servers. The U.S. Department of Justice (DoJ) confirmed that this action will permanently dismantle the QakBot botnet.
Key Stats:
– Over 700,000 infected computers worldwide identified
– More than 200,000 infected systems in the U.S.
– $8.6 million in cryptocurrency seized
Multinational Partnerships Yield Success
This operation is the culmination of collective efforts from law enforcement agencies across France, Germany, the Netherlands, Romania, Latvia, and the UK. Technical partnerships included the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Microsoft’s Digital Crimes Unit, and the National Cyber Forensics and Training Alliance (NCFTA), among others. Private firms like Have I Been Pwned and Zscaler also aided in victim notification and remediation.
Financial Impact and Scope of Operation
Donald Alway, Assistant Director in Charge of the FBI’s Los Angeles Field Office, mentioned that the operation will thwart countless cyberattacks, thereby safeguarding both personal and critical infrastructure. The financial toll exacted by QakBot is enormous; the malware’s administrators are said to have accrued fees approximating $58 million in ransoms from October 2021 to April 2023.
The Evolution of QakBot
Originating as a banking trojan in 2008, QakBot evolved to become a leading malware delivery service used for ransomware attacks, data theft, and other malicious activities. Employing spam emails for initial deployment, QakBot was instrumental in a variety of ransomware attacks, serving as a primary enabler for high-profile ransomware groups like Conti, ProLock, Egregor, REvil, and others.
A Historical Context
The joint effort builds on the precedent set by the takedown of Emotet in 2020, another notorious malware family. However, the current operation is distinct for its scale, described as the “largest U.S.-led financial and technical disruption of a botnet infrastructure.”
Future Implications
With QakBot servers now offline, as corroborated by data from Abuse.ch, this marks a significant milestone in the battle against global cybercrime. Yet, the ever-adaptive nature of cybercriminal tactics, as seen in QakBot’s evolution, signifies an ongoing challenge for law enforcement agencies and cybersecurity experts alike.
Keep an eye on our information security news updates as we continue to monitor FBI Dismantles QakBot Botnet In Largest-Ever Cybercrime Operation and check how the security experts respond to this news.
Industry Reactions
Below are the industry reactions that sent us comments on this information security news:
“2023 has already proven to be one for the books as the FBI announced yet another dismantling of a global network following the Genesis Market takedown in May and the Hive ransomware infiltration in January. Since the industry first detected Qakbot, also known as QBot, QuakBot, and Pinkslipbot, a highly resilient Botnet, in 2007, it has remained active, making us researchers often feel we were playing a game of cat and mouse. It was constantly evolving, adding new features, and finding new ways to evade detection, always skirting true takedown, until today. It is great news the FBI and Partners were able to disrupt this very persistent botnet and hopefully it will stay offline for good.
The takedown process is no cakewalk, speaking from experience with our recent involvement in the Genesis Market takedown and REvil arrests. Combating cybercrime takes a respectable amount of dedication and collaboration to pull apart the intricacies of ransomware infrastructures. The increase in takedowns and arrests shows that cybercriminals need to watch their backs. Law enforcement and the industry alike are seeking every opportunity to disrupt threat actors, and additional takedowns are imminent.”
It is interesting the FBI essentially deployed something that almost resembles “hacking back” to redirect traffic to their servers and ran a script to uninstall the malware on remote systems. It is rare that law enforcement would deploy such measures as there are potential risks of executing commands on remote systems, however, the risk may have been minimal in this case given the threat posed by Qakbot to networks and critical infrastructure. It will be interesting to learn more about the legal case for when such activities can be taken to execute scripts on remote systems when dealing with malware and threats to national security.
“This is a big win for law enforcement because Qakbot is a sophisticated banking trojan that has caused havoc to businesses for years.
Criminals have used the malware’s backdoor capabilities to install ransomware on target machines, steal passwords by monitoring keystrokes or steal bank information from victims. The malware was distributed via phishing, where users were encouraged to open malicious attachments or links before the payload would load on to their machines. Unless the victim was scanning for the malware, it would often go completely missed, until ransomware was executed, or passwords were stolen from victims.
The malware once again highlights the importance of security awareness training among employees, and the need for them to think before they click. With the malware also being used to steal corporate passwords, this acts as another reminder of the importance of using a solution to remove credentials from the hands of employees. When employees do not know their passwords, they can’t hand them out to phishing scammers, plus they can’t be stolen via malware that monitors keystrokes, because they don’t have to type them in anywhere.”
“This takedown should act as a warning to other cybercrime operations that the law is always watching and the chances of getting caught get higher every day.Qakbot is a notorious information stealer that has evolved over the last 15 years in tandem with cybercrime activity. The malware traditionally focused on stealing information – such as bank details, but more recently it has been coupled with ransomware to gain an initial foothold on organisations. The malware has been spread via phishing emails and HTML files, which have been very difficult to spot to the untrained eye. This has made Qakbot one of the most effective, popular and dangerous threats of the last decade.But, is this the last we will hear of Qakbot? Hopefully yes, but until law enforcement catches the criminals behind the operation, there is still a chance they will resurface again with new and improved infrastructure.
As a result, organisations should therefore never use this as an excuse to get complacent with cybersecurity. Yes, one major malware variant is out of operation, but thousands of others are still active. Instead, educating staff on cyber threats, keeping systems up to date with patches, and layering security to make it harder for attackers to breach networks must be the focus.”
We applaud the FBI for taking control of the Qakbot malware command-and-control infrastructure; unfortunately, without any arrests, it’s likely that the criminals will setup new adversary infrastructure in the near future. With dwell time being as little as 24 hours, these attacks highlight once again how critical it is for organizations to have immediate visibility into anomalous network traffic communicating with adversary infrastructure so that they can take control before ransomware impacts operational resiliency, as recommended by CISA and the NSA via Protective DNS solutions.