The FBI quietly wiped malicious programs from more than 700,000 computers around the world in recent days, the agency said Tuesday, part of an operation to take down a major component of the cybercrime ecosystem.
The operation’s goal was to disrupt a long-running botnet, a network of computers linked together by the same malicious programs, called Qakbot. Qakbot is a versatile tool that has long been available for rent to cybercriminals who use it to gain initial access to victims’ computers or files.
Botnets often rely heavily on hacking and exploiting computers that belong to people or companies who usually have no idea their devices are moonlighting as accomplices to cybercriminals. It is rare and often legally complicated, though not unprecedented, for the FBI to persuade a court to let it kick hackers out of victims’ computers without their knowledge.
The FBI got a court’s permission to proceed with the operation on Aug. 21, according to a copy of the warrant. Agents proceeded to hack into Qakbot’s central computer infrastructure four days later, the FBI announced, and forced it to tell the computers in its botnet to stop listening to Qakbot.
Keith Jarvis, a senior researcher at the Atlanta cybersecurity company Secureworks, which was monitoring the botnet and its takedown, said most computers infected with Qakbot were most likely effectively fixed in the first few hours of the FBI operation.
In a media call after the announcement, an FBI official who asked not to be identified said the FBI developed a particular removal tool for the operation. Victims will not be notified that their devices had been fixed or that they had ever been compromised, he said.
However, the FBI gave the names and email addresses of some of the people who had been hacked to Have I Been Pwned, a website that allows anyone to check whether they appear in certain major data breaches. Have I Been Pwned added 6.4 million email accounts tied to Qakbot to its database Tuesday.
The FBI’s announcement said that law enforcement agencies in France, Germany, the Netherlands, the United Kingdom, Romania and Latvia participated in the Qakbot takedown. The FBI official declined to say whether anyone was arrested or whether any governments were part of the cybercriminal operations.
Bradley Duncan, a researcher at Palo Alto Networks, said that while some of the largest cybercrime gangs use Qakbot to infect companies, schools and hospitals with disruptive ransomware, the FBI’s action was unlikely to translate into a major reduction in cyberattacks. Hackers have plenty of other ways to break in, he said.
“Although any disruption is good, Qakbot’s disruption may not make a massive dent in ransomware operations,” Duncan said.