Cyber security experts have welcomed the apparent downfall of the Qakbot malware, following a multinational law enforcement hack-back operation, encompassing the UK’s National Crime Agency (NCA) and the FBI among others, which took down its botnet infrastructure over the weekend of 25-27 August.
A long-established tool in the cyber criminal arsenal, Qakbot infected millions of systems around the world since its emergence in the late 2000s. Over the years, it has operated in many different capacities, including as a banking trojan and a credential stealer, usually spread as a malicious attachment via spam emails.
Most dangerously, it was used as a remote access trojan (RAT) by some of the world’s most infamous cyber crime operations to facilitate the spread of ransomware lockers, including the REvil (aka Sodinokibi) crew behind the 2021 Kaseya heist, and LockBit, which attacked Royal Mail at the start of 2023. The Americans believe Qakbot’s admins may have received up to $58m from various ransomware attacks in which it was used.
Dubbed Operation Duck Hunt, the hacking mission against Qakbot saw the FBI gain access to Qakbot’s infrastructure, where they identified the malware’s presence on more than 700,000 systems. Agents then redirected Qakbot botnet traffic to and through servers that it controlled, which instructed the victims’ machines to download a file to uninstall the malware and free the victim system from the botnet, preventing further installation of malware via Qakbot. They also seized millions of dollars worth of illicit cryptocurrency assets.
The FBI said the scope of the action was limited to information installed on the victim systems by Qakbot – no other malwares that may have been found were removed, and the agency has claimed it did not access or modify any other information.
“The Operation Duck Hunt Team utilised their expertise in science and technology, but also relied on their ingenuity and passion to identify and cripple Qakbot, a highly structured and multi-layered bot network that was literally feeding the global cyber crime supply chain,” said Donald Alway, assistant director in charge of the FBI Los Angeles Field Office.
“These actions will prevent an untold number of cyber attacks at all levels, from the compromised personal computer to a catastrophic attack on our critical infrastructure,” he said.
“This investigation has taken out a prolific malware that caused significant damage to victims in the UK and around the world,” added Will Lyne, NCA head of cyber intelligence in the UK. “Qakbot was a key enabler within the cyber crime ecosystem, facilitating ransomware attacks and other serious threats.
“The NCA is focused on disrupting the highest harm cyber criminals by targeting the tools and services that underpin their offending. This activity demonstrates how, working alongside international partners, we are having an impact on those key enablers and the ransomware business model.”
Besides the various US agencies, including the Cybersecurity and Infrastruture Security Agency (CISA), the wide-ranging operation also encompassed Europol, as well as cyber crime specialists from France, Germany, Latvia, the Netherlands and Romania. Technical assistance was provided by Zscaler, while others, including the Microsoft Digital Crimes Unit and Have I Been Pwned, have been helping with victim notification and remediation.
Hunting Qakbot
The Secureworks Counter Threat Unit (CTU), has been on the tail of Qakbot for some time, and earlier this year, the CTU team under vice-president Don Smith was able to track and observe activity transiting one of Qakbot’s command and control (C2) servers.
During this operation, the team also took steps to make sure the server did not pass any malicious traffic to backend infrastructure, effectively rendering it useless to Qakbot’s operators, who are tracked as Gold Lagoon in the Secureworks threat actor matrix.
The team saw 10,000 infected machines in 153 countries connecting to the server over a four-month period, at least 5,000 of which were connected to a domain, meaning they were owned and operated by a business or other organisation, not a private individual.
Because Qakbot used campaign IDs to track its operations, Smith’s team was able to track three distinct campaigns during the period, BB, Obama and Snow. The BB and Obama campaigns both targeted systems in North America and Western Europe, while the Snow campaign targeted a number of other geographies, mostly in South America and APAC. They said this suggested Qakbot’s operators were able to specifically target regional victims based on the requirements of their “customers”.
The backend infrastructure itself was based in Russia, where it has been fully located since early 2021, when, following the disruption of the rival Emotet botnet, its operators pulled out of other geographies, including Germany, the Netherlands and the US. The CTU team observed this infrastructure going quiet at about 11:30 on the evening of Friday 25 August, when the takedown began.
They said the robust efforts made by law enforcement should both reduce the number of infected hosts and hinder any attempts by Gold Lagoon to regain control of the Qakbot botnet.
Speaking as news of the takedown broke, Smith said: “Qakbot was a significant adversary that represented a serious threat to businesses around the world. Engineered for e-crime, Qakbot infections led to the deployment of some of the most sophisticated and damaging ransomware.
“Qakbot has evolved over the years to become a flexible part of the criminal’s arsenal,” he added. “Its removal is to be welcomed.”
Others voiced similar sentiments. Roger Grimes, data-driven defence evangelist at KnowBe4, was among them. “I applaud the FBI and its partners across the globe,” he said. “Wonderful news! These sorts of takedowns used to be fairly rare, but are becoming more common over time. It’s no small feat to coordinate an international takedown.
“It takes lots of technical and legal talent,” said Grimes. “It was great to hear that the FBI had taken over at least one of the criminal servers and used it to redirect exploited nodes to a safer server where the FBI tried to automatically uninstall Qakbot on impacted computers.”
Grimes said that historically, such proactive cleaning up had been rare, and often controversial, as if not done right, things can go very wrong, and there have been instances of well-meaning cyber experts involving themselves and making the situation worse.
“The FBI and its technical partners appear to be doing the clean-up right, with minimal legitimate operational impact,” he said. “I’m glad the FBI and its partners have decided proactive cleanup was worth the risk. It improves not only the lives of the exploited people and organisations who have Qakbot installed, but the next innocent victims.”
Trellix’s John Fokker, head of threat intelligence at the organisation’s Advanced Research Centre, added: “The takedown process is no cakewalk, speaking from experience with our recent involvement in the Genesis Market takedown and REvil arrests. Combating cyber crime takes a respectable amount of dedication and collaboration to pull apart the intricacies of ransomware infrastructures.
“The increase in takedowns and arrests shows that cyber criminals need to watch their backs,” he said. “Law enforcement and the industry alike are seeking every opportunity to disrupt threat actors, and additional takedowns are imminent.”
They’ll be back
However, although the disruption of Qakbot will be a setback to many cyber criminal operations, it will likely do relatively little to combat the scourge of cyber crime in general.
Sandra Joyce, vice-president of Mandiant Intelligence at Google Cloud, said the cyber crime business model had strong underpinnings and would not be easily disrupted. It is likely the ransomware gangs that used it will pivot to other tools, or fall back on the services of initial access brokers, in short order.
“Many of the tools we have at our disposal aren’t going to have long-term effects,” she said. “These groups will recover and they will be back. But we have a moral obligation to disrupt these operations whenever possible.”