The FBI and European law enforcement agencies dismantled a massive network of hacked computers that had been used to defraud victims of hundreds of millions of dollars, agencies announced Tuesday.
The Justice Department seized over $8 million in cryptocurrency from the hackers and removed their malicious code from an unspecified number of infected computers in the US and around the world, according to the announcement, which said around 200,000 were infected in the US and 700,000 globally.
It’s a blow to a hacking tool known as Qakbot that Russian-speaking ransomware gangs had used to cause “significant harm” to health care providers and government agencies around the world, the Justice Department said. The department said law enforcement agencies in France, Germany, the Netherlands and the United Kingdom helped with the takedown.
The State Department also announced a reward of up to $10 million for information on the people behind the malicious software.
It’s the latest step in a more aggressive effort by the FBI in the last few years to target popular hacking tools that allow cybercriminals to fleece Americans out of millions of dollars. The goal is to use every possible legal authority to make business harder for cybercriminals who are still regularly disrupting American companies and local governments.
“This is a concerted effort to target the services that other cybercriminals are leveraging across the globe,” a senior FBI official said in an interview.
The tool the FBI targeted in this case, known as a botnet, is an army of infected computers that hackers often use for a variety of fraud as well as potentially disruptive hacks. It’s a cheap way to amass digital firepower that can knock critical services like schools or health care providers offline.
Qakbot has been around for about 15 years, but ransomware gangs’ use of the tool in recent years added urgency to the law enforcement effort to infiltrate the group’s infrastructure. The investigation culminated late last week, when the FBI redirected the botnet’s internet traffic through computer servers controlled by the bureau and then issued commands to some infected computers to uninstall the malicious software.
In the last 18 months, Qakbot was used in the initial stage of about 40 different ransomware attacks that led to $58 million in losses, Martin Estrada, the US attorney for the Central District of California, said at a news conference Tuesday. Qakbot’s victims have included a power engineering firm in Illinois, a defense firm in Maryland and a food distribution company in Southern California, Estrada said. Law enforcement officials are working to try to get the money stolen back to victims, he added.
In a statement shared with CNN, FBI Director Christopher Wray said the bureau and its international partners had “crippled one of the longest-running cyber criminal botnets.”
“With our federal and international partners, we will continue to systematically target every part of cyber criminal organizations, their facilitators, and their money – including by disrupting and dismantling their ability to use illicit infrastructure to attack us,” Wray said.
The hackers can rebuild their computer infrastructure after the takedown, but FBI officials are hoping that will take a while.
Qakbot “took them years to put together and it would be difficult and time consuming for [the hackers] to reconstitute in the same manner that they had before,” said the senior FBI official, who estimated that Qakbot had caused hundreds of millions of direct or indirect losses to victims since 2008.
Asked if there was more cryptocurrency held by the Qakbot operatives to seize, the FBI official said the takedown announced Tuesday focused on computing infrastructure, “but there’s other work to be done here, to include financial aspects.”
John Fokker, a senior executive at cybersecurity firm Trellix, who tracks Qakbot, said the people behind the botnet have over the years developed new evasion techniques to try to throw investigators off the trail. “It really depends on how eager they are to rebuild” their computer infrastructure, Fokker told CNN, when asked how soon Qakbot might resurface.