Prolific cybercrime group reemerges following FBI takedown

Sean Lyngaas, CNN
·2 min read

A notorious cybercriminal group is still active and attempting to conduct ransomware attacks despite an FBI attempt to sabotage the group’s operations in August, cybersecurity researchers said Thursday.

The hackers have in the last two months sent a flurry of malicious emails written in English, Italian and German in a far-flung effort to rebuild their vast network of infected computers that they use for fraud and ransomware attacks, Cisco Talos, the cyber intelligence unit of Cisco, said in a blog post.

It was unclear how successful the hacking attempts were. But the news underscores the resiliency of multimillion-dollar cybercriminal gangs, often based in Eastern Europe and Russia, that can rebuild computer networks infiltrated by Western law enforcement.

The research comes weeks after the FBI and European law enforcement agencies announced an operation to “dismantle” the core computer infrastructure used by the hackers. The hackers were known for developing malicious code called Qakbot that Russian-speaking had used in attacks on health care companies and government agencies worldwide.

The law enforcement sting in August cut off communication between the hackers’ main computer server and some of the hundreds of thousands of infected computers they use for cyberattacks. However, a separate set of infrastructure used by the hackers to send “phishing” emails aimed at infected victims appears to have been untouched by the FBI takedown, according to Cisco Talos.

“Having the phishing infrastructure intact means the [hackers] can quickly rebuild the network of infected machines,” Guilherme Venere, a threat researcher at Cisco Talos, told CNN. “[T]hese actors are opportunistic, sending out high volumes of campaigns to a huge number of recipients to help infect as many systems as possible.”

The FBI declined to comment on the new research. A senior FBI official previously told CNN the investigation into Qakbot is ongoing. FBI officials have also acknowledged the durability of cybercriminal networks and said the bureau intends to wear them down through repeated raids on their infrastructure.

The Qakbot operatives are far from the only cybercriminal network to reemerge following a high-profile FBI takedown.

The FBI has stepped up its search for members of another multimillion-dollar cybercrime group more than two years after the bureau and its European allies announced they had taken down the group’s computer systems, CNN reported last month. A hacking tool called Emotet that is associated with that group – whose operations were previously traced to eastern Ukraine – has stalked the internet for nearly a decade.

Like Qakbot, Emotet has cost victims hundreds of millions of dollars in losses, according to law enforcement officials.

For more CNN news and newsletters create an account at CNN.com