Microsoft Takes Down Massive Botnet Before 2020 U.S. Elections

Microsoft Takes Down Massive Botnet Before 2020 U.S. Elections
A building on the Microsoft campus in Redmond, Washington in 2014. (Photo: Stephen Brashear, Getty Images)

Microsoft has obtained a court order to seize servers the company says are part of the Trickbot botnet ahead of the 2020 U.S. elections, the Washington Post reported on Monday.

Microsoft vice president of customer security and trust Tom Burt told the Post the botnet poses a “theoretical but real” threat to election security, as it is known to be run by Russian-speaking criminals and could be used to launch ransomware attacks. Ransomware is a type of malware that hijacks computer networks, and typically holds the data hostage in exchange for some kind of payment — although attackers could just forego the ransom element and permanently lock users out of their own computers. While a ransomware attack on voting machines, election officials, or political campaigns would be unprecedented, gangs of cybercriminals have targeted municipal and state governments, as well as large institutions like hospitals in recent years.

Microsoft wrote in a blog post that observing computers infected by Trickbot allowed it to determine how the compromised devices talked to each other, and attempted to obfuscate those communications. This analysis also netted the company to identify the IP addresses of the command and control servers which distribute and direct Trickbot.

On Monday, the company obtained a restraining order against eight U.S. service providers, citing Trickbot infringement of Microsoft trademarks. That in turn allowed it to take those IP addresses offline, rendering the estimated 1 million Trickbot-infected devices useless and irrecoverable to those running the botnet. Per the blog post:

As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.

Trickbot itself isn’t a strain of ransomware — it’s a trojan that hijacks web browsers to steal login credentials, and is often used to target banks — it can be used to deliver ransomware such as Ryuk, which infamously targeted hospital systems in Alabama. Cybersecurity firm Kapersky estimated Ryuk and other ransomware variants were used in at least 174 attacks on municipal institutions in 2019.

Microsoft wasn’t concerned the botnet could be used to modify actual election results but that an attack on voter registration systems, tablets used by poll workers, or result-reporting systems could be used to disrupt the election and fuel efforts to undermine its legitimacy, the Post wrote.

The tech giant has “quietly” racked up support from authorities in numerous countries for its Digital Crimes Unit to spearhead anti-botnet efforts, the New York Times reported earlier this year. As of March 2020, Microsoft had taken down 18 cybercrime operations in the past decade, including simultaneously freezing or seizing control of some six million domains which were used by the Russia-based Necurs group to send fraudulent emails, support stock market scams, and spread ransomware. According to Bloomberg, the Trickbot takeover was “highly coordinated” and required the assistance of telecom providers in several countries. The company was also joined in the suit by the Financial Services Information Sharing and Analysis Centre, which represents thousands of banks, some of which have been targeted by Trickbot.

Last week, the Post separately reported that four sources had confirmed U.S. Cyber Command was launching its own operations to take disrupt the Trickbot network at least temporarily. On Sept. 22 and Oct. 1, cybersecurity experts noticed Trickbot’s command and control servers had apparently been hacked to send out termination commands to infected machines, though in both cases the operators of the botnet were able to regain control of the situation.

Brett Callow, a spokesperson for security firm Emsisoft, told Bloomberg the Trickbot network was associated with at least two major Eastern European or Russian groups: the operators of Ryuk (who have earned the moniker Wizard Spider), and those of a newer variant called Conti that may itself be an offshoot or successor to the Ryuk group. Crowdstrike believes Wizard Spider is a criminal gang motivated by money rather than a nation state-backed group.

Microsoft wrote in its blog post that the operators of the Trickbot network remain unknown, but “research suggests they serve both nation-states and criminal networks for a variety of objectives” on a mercenary “malware-as-a-service” basis. Tom Kellermann, chief of cybersecurity strategy at VMWare and a member of an advisory board to the Secret Service, told the Times the Russian government maintains a “pax mafiosa” with cybercrime gangs in which it looks the other way in order to leverage them for its own purposes.

“It’s a highway out there that is used only by criminals,” Amy Hogan-Burney, a former FBI lawyer turned chief manager of Microsoft’s Digital Crimes Unit, told the New York Times. “And the idea that we would allow those to keep existing makes no sense. We have to dismantle the infrastructure… We’ve cut off their arms, for a while.”