The FBI [1] [2] [3] [4] [5] [6], in collaboration with international partners, recently conducted Operation Duck Hunt, a multinational operation aimed at dismantling the QakBot malware and botnet [5]. This operation [1] [3] [4] [5] [6], code-named “Duck Hunt,” is considered one of the largest U.S.-led disruptions of a botnet infrastructure [4].
Description
QakBot [1] [2] [3] [4] [5] [6], also known as Qbot [6], is a sophisticated botnet and malware that has infected over 700,000 computers worldwide for the past 15 years [6]. It evolved from a tool to steal banking credentials to a powerful weapon for cybercriminals [6]. The malware primarily infected victim computers through spam emails containing malicious attachments or links [5]. The FBI [1] [2] [3] [4] [5] [6], along with its partners [6], successfully seized 52 servers, effectively dismantling the botnet [1], and redirected QakBot’s traffic to servers controlled by the Bureau [1]. By doing so, they untethered over 700,000 infected computers worldwide from the botnet and prevented the installation of additional malware [5]. The US Department of Justice (DoJ) announced that 200,000 of these infected computers were in the US. Additionally, the DoJ seized over $8.6 million in cryptocurrency from the QakBot cybercriminal organization [1], which will be returned to the victims [1].
QakBot was used by infamous ransomware gangs and was a backbone malware supporting a vast cybercrime ecosystem [6]. It targeted critical sectors in the US [6], such as hospitals [6], schools [6], police departments [6], and local governments [6], causing disruptions and costing millions of dollars [6]. The FBI seized the botnet’s command and control servers and redirected its traffic to servers under their control [6]. Infected users were asked to download a file created by law enforcement to uninstall the malware [6]. This operation is part of a broader proactive strategy by US law enforcement to disrupt cybercriminals and their networks [6]. The investigation into QakBot is ongoing [6], and it remains to be seen if any arrests have been made [6].
The US State Department’s Rewards for Justice program has announced a reward of up to $10 million for information on anyone targeting US critical infrastructure with cyberattacks [6]. Cybersecurity firm Check Point Research identified QakBot as the most prevalent malware in the world [6], affecting 11% of corporate computer networks [6]. The operation involved actions in multiple countries [3], including France [2] [3] [5], Germany [3], the Netherlands [3], the United Kingdom [3], Romania [3], and Latvia [3]. The FBI gained access to the botnet’s infrastructure and obtained valuable data [3], including encryption keys [3]. They also identified over 700,000 infected computers globally [3], with more than 200,000 in the U.S. [3], and redirected Qakbot traffic to their own servers [3]. These servers instructed infected computers to download an uninstaller file that removed the malware and prevented the installation of new malware [3]. The operation, named “Duck Hunt,” resulted in the seizure of $8.6 million in extorted funds [3]. Qakbot administrators had received $58 million in ransom payments between October 2021 and April 2023 [3]. The takedown of Qakbot is seen as a significant victory against cybercriminals who rely on this malware for stealing private data [3]. The Qakbot network has been described as one of the most devastating cybercriminal tools in history [2].
Conclusion
The successful dismantling of the QakBot malware and botnet through Operation Duck Hunt has had significant impacts. Over 700,000 infected computers worldwide have been untethered from the botnet, preventing the installation of additional malware [3] [5]. The seizure of $8.6 million in cryptocurrency from the QakBot cybercriminal organization will be returned to the victims [1]. This operation is part of a broader proactive strategy by US law enforcement to disrupt cybercriminals and their networks [6].
However, the investigation into QakBot is ongoing [6], and it remains to be seen if any arrests have been made [6]. The US State Department’s Rewards for Justice program has announced a reward for information on anyone targeting US critical infrastructure with cyberattacks [6], highlighting the importance of continued vigilance in the face of cyber threats.
The takedown of QakBot is a significant victory against cybercriminals who rely on this malware for stealing private data [3]. The QakBot network has been described as one of the most devastating cybercriminal tools in history [2], and its dismantling marks a major step in mitigating the risks posed by such malware. The operation serves as a reminder of the importance of international collaboration and proactive measures in combating cybercrime.
References
[1] https://www.infosecurity-magazine.com/news/fbi-operation-duck-hunt-qakbot/
[2] https://abc7ny.com/hacker-network-qakbot-ransomware-attacks-cybercrime/13716286/
[3] https://www.techtarget.com/searchSecurity/news/366550298/FBI-Justice-Department-dismantle-Qakbot-malware
[4] https://www.washingtonpost.com/us-policy/2023/08/29/fbi-duckhunt-qakbot-ransomware/
[5] https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown
[6] https://www.voanews.com/a/fbi-led-operation-dismantles-notorious-qakbot-malware-/7246180.html
