Department of Justice Announces Takedown Operation Against Qakbot Malware System Transcript

Good morning. My name is Martin Estrada. I’m the United States Attorney based here in Los Angeles. We’re here today to announce the most significant technological and financial operation ever led by the Department of Justice against a botnet. The botnet in question is one of the most notorious and pernicious botnets in the world. It’s known as Qakbot. I’d like to put on the screen now the first slide of the presentation so you can see the name of this particular botnet.

(00:32)
Qakbot has been responsible during the course of its life for numerous losses in the area of cyber crime, 10s of millions of dollars in losses through ransomware payments. And by stopping Qakbot and dismantling Qakbot, we’re saving consumers and victims 10s of millions of dollars of losses throughout the world.

(00:56)
In addition, we seized through this operation almost $9 million in cryptocurrency by the cyber criminals, and that money now can be returned to victims of some of these cyber attacks.

(01:10)
This was an unprecedented operation with worldwide scope led by the FBI and the Department of Justice, but also in collaboration with partners throughout the world, including law enforcement partners in France, United Kingdom, Germany, the Netherlands, Romania, and Latvia. Together we have taken down Qakbot and saved countless victims from future attacks.

(01:36)
In order to understand the significance of this operation, it’s important to have a little background in terms of how this operation takes place within the sphere of cyber criminality. As all of you know, we live in an age of enormous technological capabilities and advances. We’re able to share information. We’re able to communicate in ways that prior generations thought unthinkable. But with those advances have also come costs, cyber crime. All of us have dealt with attempts to steal our information, to steal our identities, to sell us on sham investments and to take our money.

(02:15)
These acts are carried out by organized criminal groups acting throughout the world. And the problem of cyber crime is one that is massive. One recent study found that this year alone, cyber crime will be responsible for costs of approximately $8 trillion, trillion with a T, worldwide.

(02:37)
Ransomware attacks are one of the most pernicious forms of cyber crime. During these attacks, organized groups hack into businesses, government entities to steal data and shut off systems by encrypting those systems. They then demand extortionate payments in order to release the systems back to the businesses. In many cases, there are double layered attacks where the cyber criminals first hack in and steal data, then encrypt the devices and then demand extortionate payments in order to not release the data publicly.

(03:13)
Victims in our region here in Los Angeles have suffered significantly from ransomware attacks. For example, just in the last year alone, cyber criminals had targeted the Los Angeles Unified School District, the second-largest school district in the country. Cyber criminals have targeted the San Bernardino Sheriff’s Department, one of the largest sheriff’s departments in the country. And cyber criminals have targeted hospitals run by Prospect Medical Holdings, a chain which runs hospitals throughout the country, and by doing that shut down emergency rooms and medical facilities throughout the country.

(03:49)
The danger of these ransomware attacks goes well beyond the money. Cyber criminals have attacked and shut down power stations, hospitals, food production companies, and other essential services. Stopping cyber crime is a matter of national security.

(04:05)
One major tool used by cyber criminal groups in these ransomware attacks is known as a botnet or robot network, and I’m placing before you on the screen an image which depicts how a botnet works. To create a botnet, a cyber criminal organization uses malicious software code, also known as malware, to infect computers belonging to innocent third parties throughout the world. You’ll see on the screen before you those innocent third parties are depicted as bot victims.

(04:39)
The malware often is installed using emails which contain links or documents which have clicked on insert the malware. This is known as a phishing attack. Phishing with a pH. Once infected, the victim computers respond to the commands of servers, which are also computers that have been infected by the malware. You’ll see that at the next layer above from the victims. These servers in turn are controlled by an administrator, the cyber criminal organization, which controls the entire botnet network. You’ll see in the depiction in front of you an image of how botnet works, but in many cases, including Qakbot, it’s even more complicated with more layers insulating the administrator.

(05:27)
The owners of the infected computers, the bot victims and the servers may have no idea that their computers are infected or even part of a botnet. Once enough computers are infected with this malware and become part of the botnet, it becomes a powerful tool for cyber criminals throughout the world.

(05:47)
Qakbot is one of the most successful, persistent and notorious botnets in the globe. Every year Qakbot infects hundreds of thousands of computers worldwide. It was first detected in 2008 and has been repeatedly updated over the years. And in terms of the infections, just this past year alone, we determined that Qakbot had infected over 700,000 different victim computers. These computers were controlled by the Qakbot administrator using a series of servers also throughout the world.

(06:24)
The Qakbot administrator, the cyber criminal organization sold access to the infected computers to cyber gangs who used that access to perpetrate ransomware attacks and other cyber enabled financial crime.

(06:39)
I’m showing you another slide now, and this depicts an example of Qakbot’s control panel, which the FBI obtained as part of this operation. You’ll see flags with numbers corresponding to countries where infected computers were located at the time of the screenshot. You’ll see for the United States alone at the time of the screenshot, over 130,000 victim computers infected, and that number only grew over time through the Qakbot criminal organization.

(07:11)
Because of this worldwide reach, Qakbot has been the botnet of choice for cyber gangs throughout the world. International cyber gangs like Black Basta, Conti and Egregor have repeatedly leveraged Qakbot to target businesses and core infrastructure throughout the world. Nearly every sector of the economy has been impacted by Qakbot.

(07:36)
Among the victims, a power engineering firm based in Illinois, financial services organizations based in Alabama, Kansas, and Maryland, a defense manufacturer based in Maryland, and a food distribution company based here in Southern California. I’m not naming the victims here because they’ve not previously been identified, but suffice to say the list goes on and on in terms of the victims impacted by Qakbot.

(08:05)
It’s difficult to quantify the harm that’s been caused by the Qakbot criminal organization, but the scope is massive. Just during the last 18 months, we’ve collected evidence that Qakbot has been responsible for approximately 40 different ransomware attacks, and just in those past 18 months, these ransomware attacks have cost businesses and government entities approximately $58 million in losses. As you can imagine, this is just for an 18-month period, and this Qakbot has been around since at least 2008, so you can imagine that the losses have been many millions more throughout the life of the Qakbot.

(08:46)
But today, all of that ends. During a trail grazing operation over the past three days, Justice Department prosecutors, agents with the FBI and our international partners have taken control of and dismantled Qakbot. Assistant Director in charge of the Federal Bureau of Investigation Don Alway will provide details in a few minutes, but I want to emphasize that we’ve used our control of Qakbot to do two important things. First, we’re removing the Qakbot malware from infected computers. We’re notifying victims that they’ve been the targets of Qakbot and informing them through service providers of what has occurred. Second, we’re working with our international partners, as I mentioned law enforcement in France, the United Kingdom, Germany, the Netherlands, Romania, Lavia to seize servers. We’ve seized 52 servers in the United States and abroad. By seizing these servers for preventing Qakbot from resurrecting to cause further additional harm.

(09:49)
Also, very importantly, through this operation, we’ve recovered from the Qakbot criminal organization over 6.5 million credentials, victim credentials. Now, these victim credentials are things such as email logins and passwords, very sensitive information that these victims may have no idea were stolen from them. We’re working to notify those victims that that information has been stolen. In addition to the 6.5 million credentials that we’ve identified, our international partners are identifying many millions more.

(10:26)
Finally, we struck the Qakbot operators were it hurts the most, in the pocketbook. During this operation, we seized approximately $8.6 million in cryptocurrency linked to the ransomware payments. We’re working on setting up a mechanism so that victims can recover funds from these ransomware attacks attributed to Qakbot. All of this information regarding how victims can be notified about credentials being stolen, how they can be notified about funds and how to recover those funds will be available on our website. Please look there for details.

(11:01)
Let me say I’m incredibly proud of the work our team has done in carrying out this unprecedented operation. This operation is going to protect our country and our economy immensely, and I want to commend the work particularly of Assistant United States Attorneys Khal Shobaki and Lauren Restrepo from my Office of Cyber and Intellectual Property Crime section. I want to thank the partnership we’ve had with Trial Attorneys Jessica Peck, Ryan K.J. Dickey and Benjamin Proctor of the Justice Department’s Criminal Division’s Computer Crime Intellectual Property Section. We also thank Richard Downing from that same group, Deputy Assistant Attorney General in charge of these matters, and a special word of gratitude for the truly outstanding and visionary work of the FBI’s Los Angeles Field Office for leading this unprecedented investigation and operation.

(11:54)
As I’ve said before, my office’s focus is on victims and vindicating the rights of victims. This operation is all about that type of work. We’ll continue to do all we can fighting cyber criminals in order to protect consumers throughout the world. Thank you. And now I’ll welcome to the podium Assistant Director in Charge of the FBI Don Alway.

Thank you, Mr. Estrada. My name is Don Alway and I have the honor to lead the men and women of the FBI’s Los Angeles Field Office. Again, you hear me reference several times our thanks for the partnership. That was the key to the success in this operation.

(12:43)
This law enforcement action, which we have termed Operation Duck Hunt took more than just expertise in science and technology. It took ingenuity, passion, innovation, and teamwork to identify and cripple this highly structured and multilayered botnet system that was literally feeding the global cyber criminal supply chain.

(13:10)
I’d like to explain specifically the results of the actions taken by the Duck Hunt Team starting from Friday afternoon. The team gained access to Qakbot servers around the world, which allowed us to identify infected computers that make up the botnet. As of this past June, we identified approximately 700,000 computers infected in the past year alone, and approximately 200,000 of those computers are right here in the United States.

(13:42)
The FBI neutralized and blocked Qakbot servers, making them inaccessible to their criminal operators. The traffic was then redirected to an FBI controlled server, which gathered information to identify the infected computers and sent instructions on how to remove the malware.

(14:04)
In the United States this action was authorized by judicially authorized search warrant. The FBI file is an uninstaller file that removes the Qakbot malware and untethers the computers from the Qakbot botnet.

(14:21)
The FBI has partnered with numerous private sector partners, the Department of Homeland Security and International Law Enforcement Partners from around the world to notify the owners of the computers identified as part of the botnet during this operation.

(14:38)
I want to note that the search warrant applies only to the collection of information to identify the infected computers and the uninstallation of the Qakbot malware. The warrant does not authorize other access to the infected computers. We’re providing you with a redacted copy of that search warrant.

(14:58)
As of today, the law enforcement operation has led to the removal of thousands of malware copies of Qakbot from infected computers, and in effect, we have made the botnet inaccessible to their operators and owners. As we have removed the Qakbot malware from the network of infected computers, Qakbot has ceased to operate. As Mr. Estrada said, Qakbot sold access to its network of compromised computers to criminal affiliates who then in turn further victimized individuals with ransomware and data theft. These actions the team recently took starting Friday eliminated the threat posed by Qakbot.

(15:47)
Over the past 18 months, the Duck Hunt Team worked to identify hundreds of thousands of victims around the world in order to put an end to what has been described as one of the most devastating cyber criminal tools in history. And we believe this disruption will significantly reduce ransomware attacks from their vectors, data breaches, and global fraud. In addition to the cryptocurrency seized, we believe that this will effectively put the Qakbot criminal groups out of business.

(16:23)
This subject matter is complex and many may find is complicated or think that it won’t affect them. It can affect you and already has to many of us around the United States. So we want to emphasize practicing good cyber hygiene. A few of those tips may be make yourself a difficult target. Do so by using multi-factor authentication, strong passwords, having backups and keeping your systems updated. Most importantly, slow down and think before you click. If you have questions, please visit fbi.gov or ic3.gov for further guidance.

(17:02)
As the US Attorney recognized the stellar prosecutor team, I also want to acknowledge our talented cyber task force here in Los Angeles who continue to impress me every day, our international partners who worked side by side with us to mitigate this threat that is as influential and impactful in their country as it is in ours. And I’d like to thank our government partners to include the other FBI offices referenced from our Milwaukee and New Haven Field offices.

(17:33)
This was and is a team effort. Simply stated, the Duck Hunt Team’s actions this weekend and ongoing will prevent untold cyber attacks at all levels for the immediate and long-term future. We see that attacks on our critical infrastructure such as hospitals can put lives at risk. So in my opinion, this very much is saving lives. I want to thank you for your time and attention. This is an important matter. Thank you.

Thank you. And now we will take any questions? Yes, I see a hand on the back.

Yes. Do we know who is behind Qakbot and have any arrests been made thus far?

So one thing I should emphasize, this is an ongoing investigation, so we’re not going to get into any identification of any particular individuals. The investigation is ongoing. We’re gathering information, and that’s all I can say at this time.

And so just to clarify, to understand that the Qakbot itself is the software, the malware that is used to infect computers and then whoever’s behind that would sell that to cyber criminals? I just want to fully understand.

Sure. So as I explained, the botnet uses malware to infect computers, uses various layers to insulate itself, but ultimately there’s a command structure by the criminal organization. That command structure allows it to commit criminal acts, but also to sell itself out, to rent itself out to other cyber criminal groups. I mentioned some of the more notorious groups that have used this particular mechanism to commit cyber crimes, but that’s how it’s operated and that’s how it’s collected and caused millions of dollars in harm.

Is that organization based in the United States or somewhere else?

I can’t get into those details. I said it’s an ongoing investigation, but I can’t comment on that.

(19:27)
Any other questions?

Thank you very much everybody.

Thank you.