FBI’s Qakbot operation opens door for more botnet takedowns

The FBI’s recent takedown of the QakBot botnet sent shockwaves throughout the cybersecurity community when it was first announced last week. QakBot had become the malware of choice for dozens of hacking groups and ransomware outfits that used it to set the table for devastating attacks.

Since emerging in 2007 as a tool used to attack banks, the malware evolved into one of the most commonly-seen strains in the world, luring an ever-increasing number of machines into its powerful web of compromised devices. Justice Department officials said their access to the botnet’s control panel revealed it was harnessing the power of more than 700,000 machines, including over 200,000 in the U.S. alone.

But almost as interesting as the takedown was the way law enforcement agencies pulled off the disruption.

Senior FBI and Justice Department officials — who called it “the most significant technological and financial operation ever led by the Department of Justice against a botnet” — explained in a briefing that they managed to infiltrate the botnet’s infrastructure and take a range of actions to shut it down.

Using a court order, the law enforcement agencies deployed the botnet’s auto-updating feature against itself to send out a custom application that uninstalled QakBot and disabled the feature on devices in the U.S.

“It's as if the boss gave the order, ‘leave this workplace and don't come back,’” said John Hammond, principal security researcher at the cybersecurity intelligence firm Huntress.

Chester Wisniewski, field CTO of applied research at Sophos, said the tactic reminded him of NotPetya, where a software downloader feature was abused by Russian hackers to download malware instead of updates.

“Almost all modern botnets have auto update functionality and if you can gain control of the communications channels you can essentially make them self-destruct,” Wisniewski said. “If we start having success with that though, criminals could start using digital signatures to make this more difficult.”

Other botnets

The FBI and other law enforcement agencies have conducted similar operations in the past to take down botnet networks.

The FBI’s targeting of the Kremlin-backed Snake malware in May, as well as the operation to disrupt the Cyclops Blink malware, are examples of the kind of offensive actions law enforcement agencies are now taking to not just remove malicious software from devices in the U.S. but reduce the size of powerful botnets causing significant harm.

Experts floated other botnets that law enforcement could attempt to disrupt, like IcedID, LokiBot and AgentTesla. Check Point Software’s Sergey Shykevich said that while the malware strains Formbook and Guloader are a bit different from QakBot, they could also be taken down in a similar way.

Even so, past takedowns — most notably that of Emotet — have done little to stop groups from reforming.

Shykevich said the QakBot operation could be replicated under some conditions, but it depends on which assets are under law enforcement control.

In the Emotet takedown case, an update file was sent from servers to the victims in order to prevent the botnet from further communication with infected computers. Shykevich suggested that the FBI could conduct a QakBot-like operation on Emotet, which has seen a resurgence in recent years thanks to thousands of new infections.

When asked about potential arrests to go along with the QakBot takedown, Justice Department and FBI officials would only say that they were not announcing any at the moment.

“If the perps aren't behind bars they are likely to continue on and just rebuild as there is simply too much money to walk away,” Wisniewski said.

“Hard to say if there are sealed indictments or if they believe they may have spooked them into hiding though.”

It appears the FBI’s main focus was on preventing QakBot threat actors from reacquiring infected systems in the current botnet, said Secureworks Counter Threat Unit’s Keith Jarvis.

The threat actors may make an effort to reconstitute the botnet by creating a new one entirely, he explained, adding that the past has shown takedowns not coupled with arrests usually lead to the threat actors attempting to come back.

“But historically those attempts have been largely ineffective,” he said.

Shykevich warned that it is still unclear if the QakBot operation was just a disruption that will halt their operations for a few months or if it was a full takedown.

“Dismantled infrastructure doesn't directly mean that source code is destroyed, or that people have been arrested or the mission is decapitated,” Hammond said. “They could very well still be operating. They could reorganize, rebuild, rebrand. Perhaps in time, Qakbot could be back in action, but we remain cautiously optimistic and celebrate these wins making a dent against cybercrime.”

Austin Berglas, a former special agent in the FBI Cyber Division, said there is always a concern about a potential resurgence of groups, particularly those operating powerful botnets.

“It’s very similar to a street gang selling drugs on a street corner. If the police increase presence and prevent the gang from selling drugs on that particular corner, there is nothing stopping them from going to another part of the city, establish operations, and resume the activity,” said Berglas, who is now global head of professional services at BlueVoyant.

“True dismantlement of an organization requires identifying, arresting, and prosecuting the personnel, as well as taking down the technical infrastructure.”