Run by Russian-speaking criminals, the botnet poses a “theoretical but real” threat to election integrity by launching ransomware attacks, in which data is rendered inaccessible unless the victim pays a ransom, said Tom Burt, Microsoft’s vice president of customer security and trust.
Botnets are networks of computers secretly infected by malware that can be controlled remotely. They can be used to spread ransomware, as well as to send malicious spam email to unsuspecting recipients. Trickbot is malware that can steal financial and personal data, and drop other malicious software, such as ransomware, onto infected systems.
The fear isn’t that an attack could alter actual results, but rather that it could shake the confidence of voters, especially those already on edge from President Trump’s unfounded assaults on the integrity of mail-in ballots. “Having just a few precincts report that they got disrupted and locked up and people couldn’t vote or their ballots can’t be counted — it’d just be pouring kerosene on the fire,” Burt said.
As of Monday afternoon, the botnet was still active, according to private-sector researchers. The U.S.-based threat intelligence company, Intel 471, found 19 active Trickbot command and control servers active around the world. Another, the Swiss security site Feodo Tracker, found at least a dozen such servers still active outside the United States.
Another firm, Milwaukee-based Hold Security, found a significant drop—about 75 percent since September—in infected devices, but reported that the botnet was still continuing to infect computers in the United States, Europe and the Middle East and to deliver ransomware.
Burt said he expected remaining servers would be taken down “in the next few days” and as the botnet operators seek to rebuild their network, the firm will “take further action as needed.”
Ransomware is one of federal officials’ top concerns for the election. Christopher Krebs, who heads the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, said the types of harmful activities enabled by Trickbot, including ransomware, are clearly on the rise in the United States.
”I firmly believe that we’re on the verge of a global emergency,” Krebs said in a statement to The Washington Post. “With the U.S. election already underway, we need to be especially vigilant in protecting these systems during this critical time. This action proves that when the defenders team up, we can adapt to cripple the bad guys and make meaningful progress in improving our cybersecurity.”
Microsoft says the botnet run by Trickbot operators includes at least 1 million infected computers, and that it is the one most commonly associated with the distribution of ransomware. Other analysts say the network includes closer to 3 million infected computers.
In recent weeks, the U.S. military has mounted an operation to temporarily disrupt Trickbot, hijacking its command and control servers to send out updates to all infected computers, effectively severing the communication between the victimized computers and the servers. The operation by U.S. Cyber Command is aimed in part at helping to secure the election, but also to more broadly damage a network that has ensnared state and local governments, banks, health-care institutions and research facilities in the United States and globally.
Cyber Command’s efforts were not expected to permanently dismantle the network, but officials say even temporary disruption serves to distract criminals as they seek to restore operations.
The company obtained a temporary restraining order Tuesday, allowing it to seize Internet addresses from eight hosting providers in the United States. The company is working with Internet providers in other countries to hobble Trickbot’s operations.
Microsoft has no evidence that the botnet ringleaders intended to seek to disrupt the election, Burt said. Rather, the firm was concerned about the botnet’s potential to be used to fuel confusion, perhaps by locking up voter-registration or e-pollbook systems in the lead-up to and on Election Day. Reporting systems or voter-registration sites are easier targets for hackers than the actual systems that count the ballots, which governments have worked to harden over the years.
Criminals have already used Trickbot against a major health-care provider, Universal Health Services, whose systems were crippled by the ransomware known as Ryuk. The attack forced staff to resort to manual systems and paper records, according to reports. UHS runs more than 400 facilities across the United States and Britain. Some patients reportedly were rerouted to other emergency rooms and experienced delays in getting test results.
Through their actions, Microsoft and Internet providers in other countries sought to disable the botnet’s command and control servers. Microsoft also sought to block any effort by the operators to lease or buy new servers, the firm said. The effort was timed to deprive botnet operators of the opportunity to rebuild their zombie army before the election, it said.
Microsoft was joined in its action by the Financial Services-Information Sharing and Analysis Center, a trade group of nearly 7,000 financial institutions focused on the sharing of global cyber threats to financial services.
Microsoft helped pioneer the use of court orders to dismantle botnets, dating to 2010, when it worked with global industry experts to shut down the Waledac botnet. In this case, besides claiming violations of federal hacking laws, Microsoft argued that the botmasters infringed its copyrights by distributing malware that incorporated Microsoft code without permission.