Malware-as-a-Service (MaaS) giant TrickBot, a botnet estimated to be about one to three million computers strong, is the world’s largest of its kind and the biggest distributor of ransomware. Already wreaking havoc on the United States for several years, the US Cyber Command is also expecting it to be involved in election interference attempts ahead of the 2020 vote. Both Cyber Command and Microsoft are actively running persistent operations against the Trickbot botnet in an effort to reduce its capability, and there have been some significant successes.
TrickBot botnet in the crosshairs
Cyber Command is the Pentagon’s offensive force in cyberspace, engaging in active measures against threat actors. The agency has been tracking TrickBot for some time; it came onto the US government’s radar after the Department of Homeland Security (DHS) issued reports indicating that it was a substantial ransomware threat to state and local IT networks. TrickBot not only poses a threat to the 2020 election, but also is an ongoing potential risk to disrupt critical infrastructure such as patient care facilities, financial institutions and utilities.
The primary concern is the delivery of ransomware or a distributed denial of service (DDoS) attack that takes down voting registration systems temporarily at just the wrong time. However, prior TrickBot operations have also demonstrated the capability to deliver other types of malware. Since mid-2019 the botnet has been used to deliver a trojan that primarily targets online banks, distributing mass emails to a target organization that redirect readers to a malware site. The trojan is capable of moving laterally across networks and has been observed harvesting login credentials for banking sessions, usually just prior to attacking with the Ryuk ransomware.
TrickBot is a collection of between one and three million “zombie” computers that is controlled by an unknown group that speaks Russian. The botnet first appeared in 2016 and was first identified by Microsoft, rising to become one of the world’s biggest and most persistent threats to businesses in 2018. TrickBot has hit hundreds of banks since, and one of its most high-profile attacks was a mass phishing campaign in early 2019 that attempted to trick US tax filers with a fake email purporting to be from the IRS. Universal Health Services was also victimized by the TrickBot botnet in September, causing damage to all 250 of the organization’s locations and in some places forcing patient care providers to return to using handwritten records for a time.
According to Suzanne Spaulding of Nozomi Networks, Advisor and Former DHS Undersecretary, private-public partnerships have become virtually mandatory in order to take down big and complex botnets such as this one: “The Microsoft take-down is an example of exactly the kind of whole-of-nation, even whole-of world, approach we need. The private sector working with government at all levels, including state and local governments who’ve been victims and multiple federal entities, including the courts, as well as international partners, all coming together to identify and disrupt the bad guys. Microsoft has done previous botnet take-downs but this one is particularly important in the midst of the 2020 election because ransomware is a threat that CISA Director Chris Krebs says keeps him up at night.”
Much of the information about Cyber Command’s movements against TrickBot comes from anonymous information provided to cybersecurity press such as Krebs on Security, as these operations are mostly classified. Microsoft, running its own separate operations, has been more public about its actions. The software giant said last week that it had coordinated with Slovakia-based security firm ESET, the Financial Services Information Sharing and Analysis Center, NTT, Lumen’s Black Lotus Labs, and Symantec to take a big bite out of TrickBot’s infrastructure. The company traced the botnet’s communications back to its command and control servers, disabling their IP addresses and blocking efforts by the threat actors to acquire new servers. Microsoft was granted a court order by the U.S. District Court for the Eastern District of Virginia to take direct action against the botnet, something it has done in the past in operations against hackers based in Russia and North Korea.
Though they believe the TrickBot botnet has been substantially disrupted, Microsoft also cautions that it expects its operators to regroup and eventually restore its capabilities. Krebs is reporting that at least six TrickBot botnet controllers are still online and responding to commands.
Suppressing the TrickBot botnet
Disabling the TrickBot botnet, even temporarily, has no doubt frustrated the upper-tier international cyber criminals that pay to make use of its services. They will inevitably be back, but Microsoft and Cyber Command may have bought the whole of the US valuable time in which to improve defenses. In the wake of the operations, security professionals that track the TrickBot botnet have noted that its attacks have slowed down to hundreds of attempts per day rather than thousands.
Nozomi Networks co-founder Mr. Andrea Carcano commented on Microsoft’s inventive use of copyright law to take down servers in this case: “This isn’t the first time that Microsoft has leveraging trademark laws to chase down botnets operators, they used the tactic back in 2011 to takedown Rustock … as Microsoft’s actions show, this doesn’t mean that you cannot be creative with the technical and non-technical tools available. The beauty of this latest approach is that while defenders have to suffer the asymmetry of attackers operating behind the limits of the law, by taking the case to court, Microsoft gained a legal advantage to regain control.”
More permanent measures for disabling the TrickBot botnet are reportedly being considered by Cyber Command and other US agencies. Techniques used in the past to take down major botnets include long-term stealth operations to take over full control, isolating regions of the world so that attackers are forced into countries that have higher visibility into their operations, and sending out coordinated “kill signals” to shut down all known command-and-control servers at once. However, the most permanent method tends to be physically tracking down the operators and arresting them.
Though the TrickBot botnet is a persistent threat that will require persistent engagement to totally subdue, squelching most of its capability to carry out ransomware attacks during the US election is considered to be very important to national defense by Cyber Command. As Chloé Messdaghi, VP of Strategy for Point3 Security, noted: “It’s a great start but a new Gallup study finds that only 59% of Americans have full confidence in our election process and faith that our votes are going to be accurately tallied nationwide. Misinformation plays a serious role in this doubt.” Given the contentiousness of the election and an already-established environment of suspicions about the reliability of voting systems, there is the possibility that invalidating even a relatively small and localized amount of votes could spark serious civil unrest.