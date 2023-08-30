An international law-enforcement operation has dismantled a network of hundreds of thousands of computers that criminals used to launch cyberattacks against critical industries worldwide, U.S. authorities said Tuesday.

Investigators in the U.S., U.K., France, Germany, the Netherlands, Romania and Latvia took aim at a notorious strain of malware known as Qakbot that had infected more than 700,000 computers, took control of them and enabled them to be leased out to criminal gangs to facilitate more cyberattacks. Justice Department officials said the so-called botnet was used in ransomware attacks, financial and elder fraud, data theft, and more, and caused hundreds of millions of dollars in damage. Authorities said they had developed a tool that excised the malware from victim computers, and had seized nearly $9 million in stolen cryptocurrency related to use of Qakbot.

The campaign, known as Operation Duck Hunt, “put an end to what has been described as one of the most devastating cybercriminal tools in history," Donald Alway, a senior official at the Federal Bureau of Investigation’s Los Angeles field office, told reporters.

Qakbot, which security researchers say has been around since at least 2007, has in recent years been used by ransomware gangs to gain entry into computer networks. Known as a “malware loader," Qakbot would help assailants breach a computer’s defenses and deploy other malware that engineered cyberattacks like ransomware.

Qakbot is the most popular malware loader in use, accounting for 30% of cases involving a loader, according to U.S.-based cybersecurity firm ReliaQuest. Security firms have described Qakbot as among the longest-running and most damaging botnets ever assembled.

Officials declined on Tuesday to identify the gang responsible for Qakbot’s initial deployment, saying the investigation is ongoing. Qakbot has been under investigation by the FBI since at least 2011, an FBI official said.

U.S. officials did name several ransomware groups that have rented Qakbot to support their extortion campaigns. Among them was Conti, a group linked to Russia that security analysts describe as one of the most prolific and feared cybercriminal groups in the world, responsible for stealing hundreds of millions of dollars by shutting down emergency rooms, city governments and public schools since 2018.

Operation Duck Hunt represents the latest in a string of campaigns by the Federal Bureau of Investigation and Justice Department to disrupt cyberattacks rather than merely arresting or indicting hackers. Senior officials have likened the evolution, which has been slowly building for years but has grown as a priority over the last couple of years, as akin to the mission after the Sept. 11, 2001, attacks to thwart terrorist plots before they occur.

“The FBI led a worldwide joint, sequenced operation that crippled one of the longest-running cybercriminal botnets," FBI Director Christopher Wray said Tuesday. “With our federal and international partners, we will continue to systematically target every part of cybercriminal organizations, their facilitators, and their money—including by disrupting and dismantling their ability to use illicit infrastructure to attack us."

Some security experts applauded the takedown but doubted it would have a serious long-term impact on cybercrime.

“These groups will recover and they will be back," said Sandra Joyce, vice president of Mandiant Intelligence at Alphabet’s Google Cloud unit. “But we have a moral obligation to disrupt these operations whenever possible."