Qakbot Takedown Resembles Hack Back, Will Botnet, Malware Be Resurrected?
The FBI’s recent takedown of Qakbot closely resembles something that authorities have often discouraged organizations from doing—hacking back.
“It is interesting the FBI essentially deployed something that almost resembles “hacking back” to redirect traffic to their servers and ran a script to uninstall the malware on remote systems,” said Ken Westin, field CISO at Panther Labs.
“It is rare that law enforcement would deploy such measures, as there are potential risks of executing commands on remote systems; however, the risk may have been minimal in this case given the threat posed by Qakbot to networks and critical infrastructure,” said Westin. “It will be interesting to learn more about the legal case for when such activities can be undertaken to execute scripts on remote systems when dealing with malware and threats to national security.”
In late August, the Justice Department said a multinational operation in the United States, France, Germany, the Netherlands, the United Kingdom, Romania and Latvia had disrupted the Qakbot botnet and malware, seized cryptocurrency and taken down its infrastructure.
“The Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm,” the DOJ said at the time, noting that more than $8.6 million in illicit profits had been seized in what the department called “the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.”
Indeed, the DoJ hailed the action as a warning to malicious actors. “Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law,” Attorney General Merrick B. Garland said in a statement.
Calling “Qakbot one of the most notorious botnets ever, responsible for massive losses to victims around the world,” United States Attorney Martin Estrada said it “was the botnet of choice for some of the most infamous ransomware gangs” and pledged “[our] office’s focus is on protecting and vindicating the rights of victims, and this multifaceted attack on computer-enabled crime demonstrates our commitment to safeguarding our nation from harm.”
“The group responsible for the dismantling of Qakbot, the ‘Operation “Duck Hunt” Team,’ used their expertise in science and technology but also relied on their ingenuity and passion to identify and cripple Qakbot, a highly structured and multi-layered bot network that was literally feeding the global cybercrime supply chain,” said Donald Alway, the assistant director in charge of the FBI’s Los Angeles field office. “These actions will prevent an untold number of cyberattacks at all levels, from the compromised personal computer to a catastrophic attack on our critical infrastructure.”
Qakbot is well known to defenders and goes by various names, including “Qbot” and “Pinkslipbot.” Qakbot malware uses spam email messages containing malicious attachments or hyperlinks to infect victim computers, where it then delivers additional malware.
“From what is publicly known, the Qakbot network has been in action for a very, very long time, and taking it down represents a level of cybersecurity offense collaboration which we have not seen earlier,” said Agnidipta Sarkar, vice president, CISO advisory, at ColorTokens. “Operation ‘Duck Hunt’ tricked thousands of Qakbot-infected computers into downloading an FBI-made uninstaller. Can it resurrect? Only time will tell. Criminal organizations will surely try.”
In fact, “Qakbot has been used as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta,” the Justice Department noted, and has been used against targets such as a power engineering firm based in Illinois; financial services organizations based in Alabama, Kansas and Maryland; a defense manufacturer based in Maryland and a food distribution company in Southern California.
Those attacks and others between October 2021 and April 2023 yielded Qakbot administrators around $58 million in ransom fees.
“While taking down the infrastructure deals a blow to the threat actors operating it, their skills are still on the market to move to new infrastructure or integrate with another malware ecosystem,” said Travis Smith, vice president of the threat research unit at Qualys. “Qakbot itself is known to exploit multiple vulnerabilities ranging from operating systems to networking devices. Organizations should continue to be vigilant and take action now to reduce their organizational risk while there is a lull in the storm.”
The victim computers infected with Qakbot malware are part of a botnet (a network of compromised computers), meaning the perpetrators can remotely control all the infected computers in a coordinated manner. The owners and operators of the victim computers are typically unaware of the infection.
“Qakbot was in some ways like zombies in a movie—every victim machine they took down became part of their army, increasing their numbers and destructive force. As the number of infected machines grew, they had greater scale to compromise more systems, grow their infrastructure, upload more malware, and profit from more ransomware and related attacks,” said John A. Smith, CEO at Conversant Group.
“Yet, in this scenario, we must remember that the victims weren’t completely helpless. Most victims were organizations (vs. individuals), and there were many IT controls that should have been employed to avoid these compromises,” he said. “Systems were compromised via download of malicious attachments—this shows weak email, endpoint and perimeter defenses employed at the IT level and poor choices on controls and configurations. In short, we have a shared responsibility model: bad actors doing bad things, and IT teams not looking at their defenses through a zero-trust framework.”
The FBI accessed the Qakbot infrastructure and identified more than 700,000 infected computers around the world—200,000 of which were in the United States—then “redirect[ed] Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware,” the Justice Department said. “This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot.”
The department explained that “the scope of this law enforcement action was limited to information installed on the victim computers by the Qakbot actors. It did not extend to remediating other malware already installed on the victim computers and did not involve access to or modification of the information of the owners and users of the infected computers.”