Senior Justice Department officials on Tuesday revealed a major digital sting they carried out to quash malware cybercriminals have used for decades to launch ransomware attacks, break into corporate networks, and filch sensitive consumer data across the globe.
The operation, which they called “unprecedented,” involved FBI agents and law enforcement partners in six other countries — France, the United Kingdom, Germany, Netherlands, Romania and Latvia — slipping unnoticed onto the computer servers where criminals controlled the notorious QakBot malware. They issued commands to self-destruct it and then seized roughly $9 million worth of cryptocurrency from those behind the malware, United States Attorney Martin Estrada said Tuesday.
The campaign, which U.S. law enforcement planned over 18 months and then brought to a head over three furious days this weekend, amounts to “the most significant technological and financial operation ever led by the DOJ against a botnet,” Estrada said from a U.S. attorney’s office in Los Angeles.
Botnets — short for robot networks — refer to vast webs of computers that are infected with a common piece of malicious software. Cybercriminals control the botnets via a hub-and-spoke-like web of computer servers, which can then issue commands to the infected machines, harnessing their combined computing power to stage cyber attacks, breach corporate networks or illicitly harvest data.
The operators of botnets also tend to rent access to other cybercriminals via the dark-web, and QakBot’s enormous size made it “the botnet of choice for cyber gangs throughout the world,” Estrada said.
Over the course of the 18 month operation, U.S. and international law enforcement clandestinely gained access to the 52 servers controlling QakBot. That gave them a unique, behind-the-curtain look at how much damage the malware caused.
Cybercriminals infected 700,000 new victims with the malware over the past year alone, roughly 200,000 of which were in the U.S., according to U.S. law enforcement. They also used it to launch 40 different ransomware attacks, causing $58 million in damages.
“You can imagine that the losses have been many millions throughout the life of QakBot,” which has been active since 2008, said Estrada.
U.S. law enforcement did not announce any arrests on Tuesday. When asked who they believed to be responsible for the botnet, Estrada declined to say, citing the ongoing nature of the investigation.
U.S. officials have repeatedly warned that a large percentage of global cybercrime and ransomware activity comes from Russia. They accuse the Kremlin of turning a blind eye to digital crooks as long as they focus their activity abroad — a claim Russia denies. China also accounts for significant hacking activity within the United States, but authorities say a majority of it is state-sponsored. The Chinese government also denies sanctioning hacking efforts.
Given how long it has been operating and the financial nature of the crimes QakBot is associated with, it is likely that many cybercriminals from across the world have contributed to or rented services from the botnet.
The operation follows a string of recent digital takedown operations from the Justice Department, which has made a concerted push over the last three years to find new ways to stem a growing wave of cybercrime.
Because much computer crime occurs abroad, cybercriminals rarely face punishment, even if charged with a crime.
Donald Alway, the assistant director in charge of the FBI’s Los Angeles field office, which spearheaded the case, said that the operation had dealt a major blow to cybercrime.
“We believe that this will effectively put the QakBot criminal groups out of business,” he said, and put an end to “one of the most devastating cyber criminal tools in history.”