FBI and European partners dismantle global malware network

‘Operation Duck Hunt’ was a multinational effort that was able to infiltrate and dismantle Qakbot, a malware that could remotely control over 700,000 computers around the world.

The operation has been described as “one of the largest US-led disruptions of a botnet infrastructure”. It was led by FBI forces, with a collaboration of partners in France, Germany, the Netherlands, Romania, Latvia and the UK. 

After seizing control of the botnet, officials remotely removed the malicious software agent from thousands of infected computers.

“The FBI neutralised this far-reaching criminal supply chain, cutting it off at the knees,” said FBI director Christopher Wray. “The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”

The Qakbot software was believed to have been used to facilitate 40 ransomware attacks over 18 months, allowing hackers to seize about $58m (£46m), according to reports.

During the last 15 years, the malware was leveraged by prolific ransomware groups, such as Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta. Overall, Qakbot is believed to have accounted for about 30 per cent of attacks globally in 2023, impacting one in 10 corporate networks.

“Nearly every sector of the economy has been victimised by Qakbot,” said US attorney Martin Estrada, announcing the takedown.

It was able to infect computers and add them to a botnet through spam emails. After the user clicked on the malicious attachment or link, the computer was added to the network, allowing hackers to remotely install additional malware on the devices.

The victims of these attacks include an Illinois-based engineering firm, financial services organisations in Alabama and Kansas, a Maryland defence manufacturer and a Southern California food distribution company, Estrada said.

Donald Alway, assistant director in charge of the FBI’s Los Angeles office, said the network was “literally feeding the global cybercrime supply chain” and called it “one of the most devastating cybercriminal tools in history”.

After infiltrating the network, the FBI was able to rout Qakbot through FBI-controlled servers and instruct infected computers to uninstall the malware. 

During ‘Operation Duck Hunt’, officials were also able to recover stolen credentials such as email addresses and passwords of more than 6.5 million victims, and seize $8.6m (£6.8m) in cryptocurrency, which will now be made available to victims.

Officials did not make any arrests and an investigation is still ongoing to identify those behind the network. 

The Covid-19 pandemic and Russia’s invasion of Ukraine have created conditions that have favoured a dramatic increase in cyber crime, effectively turning the cyber space into what Australia’s cyber-security agency has described as “the domain of warfare”.