Multinational Op Takes Down a Cybercriminal Botnet Infrastructure

On Aug. 29, the Federal Bureau of Investigation and the Justice Department announced that a multinational operation resulted in the dismantlement of Qakbot, a malware and botnet that has been used in cybercrime since 2008. What does this operation mean for the continuing fight against cybercrime?

The Qakbot Infrastructure

Qakbot malware infected computers via email phishing campaigns. Once a victim clicked on a link, Qakbot would deliver additional malware. Infected computers would become a part of the Qakbot botnet, allowing botnet users to control these infected computers remotely, according to the FBI report.  

Threat actors have leveraged this malware to execute ransomware attacks and other cybercrimes. The FBI attributes hundreds of millions of dollars in losses to Qakbot.

Victims were often unaware that their computers had been compromised by Qakbot.

“Its polymorphic code helps it to evade detection-based solutions,” Aviv Grafi, CTO and founder of cybersecurity company Votiro, tells InformationWeek via email. “It was also infamously known for techniques that made it persistent and therefore was difficult to remove once the system or network got infected.”

Over its years in operation, Qakbot claimed a wide variety of victims around the world. The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast,” FBI Director Christopher Wray said in the FBI report on the operation.

The Takedown Operation

This operation, executed on Aug. 25, involved extensive cross-border collaboration. The FBI and Justice Department worked with partners in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom to dismantle Qakbot.

To coordinate a multinational operation like this, the FBI can leverage its overseas reach via dozens of legal attaché offices in US embassies around the world and its agents who work with foreign counterparts, according to Donald Alway, FBI Assistant Director in Charge, FBI Los Angeles, in an emailed comment. “This affords us a unique ability to build trust, enhance partnerships and to gain cooperation that is of mutual benefit to our respective citizens.”  

The FBI gained legal access to the Qakbot infrastructure and then directed its traffic to servers controlled by the FBI. These servers instructed infected computers to download an uninstaller file, which severed their connection to the botnet and prevented further malware installation. The FBI found more than 700,000 computers around the world infected with Qakbot, according to the report.

“This was a phenomenal collaboration between law enforcement agencies, intelligence, cybersecurity vendors and services that all worked in concert to craft a highly sophisticated attack on both the QakBot infrastructure while at the same time dismantling the QakBot infection across hundreds of thousands of computers worldwide,” says Grafi. “This type of collaboration represents great potential in global cyber defense.”

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory that provides technical details on how Qakbot operated, its indicators of compromise (IOCs), and mitigation recommendations.

Travis Smith, vice president of the threat research unit at IT security and compliance platform Qualys in an email interview, notes the value of this kind of transparency following the takedown. “A technical write-up of the entire operation and infrastructure alongside IOCs and mitigation guidance to prevent similar attacks in the future is a goldmine for organizations in helping to reduce their organizational risk.”

Continuing the Fight Against Cybercrime

While this operation is a victory, the fight is hardly over. Smith notes that this operation did not involve the arrests of any individuals. The threat actors leveraging Qakbot are free to find new attack vectors.

The takedown of the Qakbot botnet is similar to the operation that disrupted the Emotet botnet in 2021, according to Grafi. “Very similar to how Emotet was disrupted by an international cyber operation, which led to the rise of Qakbot, the bringing down of Qakbot will create a vacuum in which cyber criminals will develop new types of LaaS [loader as a service] malware that could be evolutions of Qakbot or new variants,” he explains.

Although a new threat will fill Qakbot’s shoes, that does not mean this operation was in vain. “Using the guidance provided as part of this operation will give defenders a head start in reducing the risk of being part of the next botnet,” says Smith.  

This operation also lays the groundwork for future collaboration among international partners. “Running through operations like this helps those involved understand what tasks need to be accomplished and what challenges lay ahead for future operations,” says Smith. “This also increases the level of trust amongst multinational organizations.”

While law enforcement plays a crucial role in leading these types of multinational operations, enterprises have an opportunity to work alongside enforcement agencies. Proactively building relationships with agencies like the FBI and CISA can help organizations before they become victims of a cybercrime.

“When an investigation is going on, you want to have those communication channels in place, as speed is crucial when dealing with nefarious cyber threat actors,” says Smith.

FBI’s Alway also emphasizes the importance of collaboration in combating cyber threats. “Without close partnerships with private industry, and without prompt, proactive reporting of cyber incidents, the FBI won’t have all the relevant information in order to impose consequences on cyber criminals and take bad actors off the board,” he shares. “Before a cyber incident occurs, we recommend calling your local FBI office to build a relationship and to include the contact information for your local FBI field office within your cyber incident response plan.” 

Organizations also have access to a multitude of resources that can help them prepare for the potential need to work with law enforcement. “There are many information sharing and analysis centers (ISACs) for industries, which can provide organizations warning signals and have others to talk to, should the need arise to work with the appropriate law enforcement agencies,” Smith adds.

What to Read Next:

Cybersecurity Must Focus on the Goals of Criminals

10 Reasons for Optimism in Cybersecurity

Cybersecurity Fails and How to Prevent Them