- As the digital landscape evolves, a comprehensive approach that combines takedowns with proactive cybersecurity measures, international collaboration, and public-private partnerships is essential to effectively combat the persistent threat of cybercrime.
- The security and enforcement communities need to continue to work together to improve information-sharing and collaborative endeavours with the concrete aim of identifying, arresting, and charging the people responsible for the dizzying array of online criminal enterprise.
In the dynamic cybersecurity landscape, law enforcement agencies around the world continue to battle the growing threat posed by cybercrime.
One of the strategies used to fight these digital adversaries involves taking down their attack infrastructure.
A prime example of this is the FBI’s recent coordinated effort in August 2023, targeting the Qakbot threat actor. This article examines the value of such law enforcement measures, exploring whether dismantling cybercriminal infrastructure has a significant impact on long-term criminal activity.
Emerging in 2007, Qakbot, also known as Qbot and Pinkslipbot, is one of the longest running criminal botnets active today and has used spam campaigns to deliver information stealers, backdoors, and in recent years ransomware including Conti, REvil, Mega Cortex and Black Basta.
The Qakbot takedown
In August 2023, the FBI alongside a laundry list of international partners executed a well-coordinated operation aimed at disrupting the Qakbot threat actor’s infrastructure and seizing approximately $8.6 million in associated cryptocurrency assets.
This activity undeniably dealt a significant blow to the threat actors behind the Qakbot malware, but emerging evidence indicates that that the blow was somewhat less than fatal. Researchers from Cisco’s Talos noted that a new campaign, begun shortly before the law enforcement action, remains ongoing and that the disabled infrastructure probably represented only a part of the whole.
While the takedown succeeded in dismantling the Command & Control (C2) infrastructure, it fell short of impacting their spam delivery capability, meaning that Qakbot continue to service customer demand and profit from cybercrime, perhaps also affording them the means and opportunity to build back better.
This incident raises important questions about the efficacy of such actions and prompts a closer examination of the broader landscape of cybercrime.
Merits of infrastructure takedowns
Infrastructure takedowns, when successful, can lead to immediate disruptions in cybercriminal operations. By targeting key components, such as C2 servers, law enforcement can sever the communication lines between malware and its operators.
This disruption can hinder the execution of malicious activities, providing a respite for potential victims. As was the case with the Qakbot takedown, there is also sometimes the technical possibility to leverage the seized infrastructure to remove the malware from compromised devices, significantly complicating any form of resurgence.
Takedowns also offer a valuable opportunity for law enforcement agencies to gather intelligence.
Examining the dismantled infrastructure can provide insights into the tactics, techniques, and procedures (TTPs) employed by threat actors. In addition to collection of evidence for the positive identification of the people behind the criminal operation, this intelligence can be crucial in enhancing cybersecurity measures and better preparing for future threats.
Publicising successful infrastructure takedowns can serve as a deterrent to other cybercriminals. Knowing that law enforcement is actively targeting their infrastructure may dissuade potential threat actors or make them more cautious, contributing to a more secure cyberspace.
Challenges and limitations
Despite the apparent immediate success of infrastructure takedowns, cybercriminals have proven to be remarkably resilient. The Qakbot incident illustrates this point, as the threat actor quickly adapted by maintaining their separate spam delivery infrastructure. This adaptability challenges the long-term impact of such actions.
Notably, threat actors are often quick to recover from infrastructure takedowns. They may establish new servers, change communication protocols, or adopt other measures to resume their activities.
The transient nature of the digital realm allows cybercriminals to regroup and continue their operations swiftly.
Often learning valuable lessons from prior law enforcement activity to build more resilient infrastructure the next time around.
These takedowns can have further unintended consequences, affecting not only cybercriminals but also potentially innocent entities that share the same infrastructure. Shared hosting environments or compromised servers may inadvertently become casualties, causing disruptions to legitimate services.
Emotet
The Emotet malware, known for its sophisticated and modular design, experienced a significant takedown by law enforcement in 2021.
However, the malware resurfaced in 2022 with a hardened C2 infrastructure and a more capable malware, demonstrating the ability of threat actors to regroup and adapt.
Emotet’s revival underscored the challenges in achieving a lasting impact through infrastructure takedowns alone.
TrickBot
TrickBot, another notorious malware, faced multiple takedowns over the years. Despite these efforts, the threat actor behind TrickBot managed to revive the malware and continue its campaigns.
The ability to recover from infrastructure disruptions highlights the cat-and-mouse nature of the ongoing battle between cybercriminals and law enforcement.
While law enforcement actions targeting cybercriminal infrastructure can provide immediate relief and valuable intelligence, their long-term impact remains a subject of debate.
The August 2023 FBI takedown of Qakbot’s C2 infrastructure serves as a recent example, and highlights the challenges posed by resilient threat actors.
As the digital landscape evolves, a comprehensive approach that combines takedowns with proactive cybersecurity measures, international collaboration, and public-private partnerships is essential to effectively combat the persistent threat of cybercrime.
Balancing the need for immediate action with the recognition of the dynamic and adaptable nature of cybercriminals is crucial for fostering a more secure online environment.
Above all, these law enforcement joint operations must become more frequent and more personal. The considerable time periods between these headline-grabbing actions offers the threat actor far too much time and opportunity to regroup, reassess and relaunch with all the associated object lessons taken on board.
The unfortunate late of actual kinetic and financial enforcement activity against the real people behind these criminal enterprises also means that nay respite will always be temporary.
Even though the current state of geopolitics may be against us, the security and enforcement communities need to continue to work together to improve information-sharing and collaborative endeavours with the concrete aim of identifying, arresting, and charging that relatively small group of people most responsible for the dizzying array of online criminal enterprise.
- Rik Ferguson is the Vice President of Security Intelligence at Forescout.