A coalition of technology companies used a federal court order unsealed on Monday to begin dismantling one of the world’s most dangerous botnets in an effort to pre-empt disruptive cyber-attacks before next month’s US presidential election.
The takedown is a highly co-ordinated event, spearheaded by the software giant Microsoft Corp and involving telecommunications providers in multiple countries.
If the operation succeeds, it will disable a global network of infected computers created by a popular malicious software known as Trickbot.
Trickbot operators were expected to begin losing communication with the millions of computers they had painstakingly infected over a period of months, even years.
The loss of the botnet — as a network of infected computers is known — will make it more difficult for Russian-based cybercriminals and other digital marauders to do their work.
It will likely take months or years for the criminals to recover, if at all.
By dramatically dismantling Trickbot’s network, Microsoft and its partners believe they will likely head-off ransomware attacks that could compromise voting systems before the US presidential election on November 3, said Tom Burt, vice president of Microsoft’s customer security and trust division.
“They could tie-up voter registration roles, election night reporting results and generally be extremely disruptive,” Burt said. “Taking out one of the most notorious malware groups, we hope, will reduce the risk of ransomware’s impact on the election this year.”
Coordinated takedowns like the one on Monday have become increasingly common in the last several years, although the legal and technical hurdles involved are substantial.
In this case, Microsoft and its partners were able to obtain a federal court order founded on Trickbot’s infringement of Microsoft’s trademarks, but ultimately aimed at disconnecting communications channels the attackers use to control the malicious software.
By presenting evidence to a federal judge – and by leveraging the requirement that foreign companies comply with US law – private companies can be as effective as governments at dismantling the global infrastructure of big cybergangs.
But in this case, Microsoft and the US government may be treading some of the same ground.
While Microsoft and its partners were preparing for its takedown, US Cyber Command mounted an unrelated operation to temporarily disrupt Trickbot as part of an effort to prevent problems prior to next month’s elections, the Washington Post reported last week.
When asked about the government attack, Defence Department spokesman Russell Goemaere said, “As a matter of policy we cannot comment on ongoing operations.”
Trickbot malware is known to be used by several criminal groups, including at least two major Eastern European or Russian ransomware gangs.
Those criminal hackers specialise in encrypting data on a user’s infected computer, then demanding money to restore access to the legitimate owner.
One of the gangs, known as Conti, appears to specialise in targeting American local and state governments, said Brett Callow, a threat analyst at the New Zealand-based cybersecurity company Emsisoft.
The other ransomware gang widely identified with Trickbot is called Ryuk.
Since January, at least 78 governmental entities have been subjected to ransomware attacks, according to Emsisoft.
The Russian connection to some of those attacks is especially worrying.
Since 2016, the Department of Homeland Security, cyber-researchers and Western intelligence have repeatedly warned of further Russian meddling in the 2020 election, especially with the use of ransomware.
Burt said Microsoft’s action amounts to a robust defence of American election infrastructure, which was revealed to be vulnerable after Russian hackers ransacked Democratic Party emails and targeted election systems in all 50 states in 2016.
Trickbot has been identified by Europol as a particularly nasty form of malware because of how it’s able to pivot and spread across networks undetected.
It typically embeds inside computers and Internet-connected devices.
After thoroughly mapping a computer network, Trickbot attackers will search for passwords and other stored data in order to steal money from banking and financial services websites.
In some cases, Trickbot’s operators then hand off those infected computers to ransomware groups like Ryuk and Conti, who then encrypt the data until the user pays a hefty ransom.
Microsoft and partners analysed about 61,000 different samples of the Trickbot malware during its investigation this year.
Along the way, researchers purposefully infected several of their own computers with the TrickBot malware. “This placed the computers under the control of the cybercriminals operators,” which allowed Microsoft’s researchers to monitor Trickbot’s communications with those infected machines.
The research helped identify the various layers of Trickbot’s communications platform, and ultimately helped Microsoft map out the botnet, according to court filings.
Among Microsoft’s partners in the Trickbot takedown is the FS-ISAC, or Financial Services information Sharing and Analysis Center.
Its members, including many large banks, have been studying Trickbot, which started out as a banking Trojan, for many years.
To help with Microsoft’s crackdown, the group used a sample of eight members and gathered data on 500 fraud attempts using Trickbot over a year and a half, according to Teresa Walsh, head of intelligence at FS-ISAC.
Bad actors tried to steal $7mn during these attempts and succeeded at siphoning off $1mn.
The botnet has targeted over 300 banks worldwide and has evolved beyond a banking Trojan, Walsh said.
Related Story