Cyber Command, Microsoft take action against TrickBot botnet before Election Day

The Pentagon and Microsoft have moved against one of the world’s largest botnets in recent weeks.
Microsoft Active Directory
(Flickr user <a href="">Thomas Hawk</a> / CC-BY-2.0)

TrickBot’s margin for success just got a lot smaller.

The Pentagon’s offensive hacking arm, Cyber Command, has carried out an operation to hinder the ability of TrickBot, one of the world’s largest botnets, from attacking American targets, according to one U.S. government official who spoke to CyberScoop on the condition of anonymity because they were not authorized to discuss the matter. Microsoft also has sought to disrupt the TrickBot botnet, according to Tom Burt, the company’s corporate vice president of customer security and trust.

The two operations represented distinct efforts to interrupt a pernicious threat that U.S. government officials say could be used to launch ransomware attacks against IT systems that support the voting process ahead of Election Day. Such an attack against voter registration systems, for instance, could result in confusion, delays or other uncertainties when Americans cast their ballots.

As a result of the Microsoft operation, the people behind the TrickBot botnet — a collection of compromised zombie computers controlled by Russian-speaking attackers — will be limited in their ability to infect new victims and activate ransomware they may have been preparing to deploy against targets, according to Microsoft, which said Monday it had coordinated a takedown with Slovakia-based security firm ESET, the Financial Services Information Sharing and Analysis Center, NTT, Lumen’s Black Lotus Labs, and Symantec.


Microsoft tracked the technical infrastructure that TrickBot used to communicate with victim computers, gathered information about how the machines communicated among themselves, and learned the specific IP addresses of command-and-control servers used to control the botnet, Microsoft’s Tom Burt explained in an announcement.

The takedown took place after the U.S. District Court for the Eastern District of Virginia granted Microsoft’s request for a court order to interrupt and halt TrickBot’s operations, including disabling those IP addresses. Microsoft also blocked the operators from the content stored on the command-and-control servers and blocked efforts to purchase additional servers, Burt said in the announcement. The company previously used court orders to take action against malicious infrastructure from accused hackers in North Korea, Russia and elsewhere.

The Cyber Command operation, first reported by The Washington Post, was intended to temporarily disrupt the botnet, with a recognition that the operators behind TrickBot will likely regroup and try to restore their capability. To date, TrickBot has infected over one million devices since 2016, when it was first detected, according to Microsoft.

KrebsOnSecurity first reported on the apparent disruption of the botnet.

The moves came weeks before the 2020 U.S. presidential election, which Cyber Command and the U.S. National Security Agency have been working to protect against ransomware threats, as part of its broader “persistent engagement” strategy, an effort to deter adversaries by working to frequently impose costs on them.


Department of Homeland Security officials have long identified ransomware as a threat to IT networks that support elections — and have raised the issue with other federal agencies, including Cyber Command. In this case, DHS officials were in touch with Cyber Command on the threat that TrickBot has posed to state and local IT networks, according to two people familiar with the exchange. (Both sources spoke on the condition of anonymity because they were not authorized to speak to the media.)

DHS officials also advised Cyber Command on when to carry out the TrickBot operation to increase its impact, one of the people said.

DHS’s Cybersecurity and Infrastructure Security Agency this month issued a public advisory on the resurgence of Emotet, a credential-stealing malware, calling it “one of the most prevalent ongoing threats” against state and local governments. Hackers have previously used Emotet to install TrickBot.

The dual efforts to dismantle TrickBot came months after the hackers behind TrickBot created a new software tool to enhance their ability to steal victims’ banking information undetected, according to security researchers. TrickBot operates as a “malware-as-a-service,” in which its operators sell access to its infections to different customers.

Cyber Command and the Department of Homeland Security did not return multiple requests for comment. The FBI, which has tracked TrickBot closely and warned private sector organizations about the threat, declined to comment.


A reprieve from TrickBot ransomware

Although elections were the focus of the Cyber Command operation, the disruption efforts from the U.S. government and the private sector could also help mitigate ransomware threats that hospitals and health sector entities around the world have encountered during the coronavirus pandemic. TrickBot is one of the largest ransomware facilitation services on the internet, researchers have noted, with links to malware including Ryuk. Ryuk has been linked to attacks against targets such as Universal Health Services, an American health care provider.

The TrickBot disruption could also benefit other entities, including those in the financial, defense, government, and academic industries. Attackers have also used Ryuk against a contractor working for the U.S. Department of Defense, the North Carolina city of Durham, state courts, businesses, universities, and nursing homes.

While specific information about the Cyber Command operation remains murky, details from the Microsoft takedown hint at the difficulty TrickBot may face as its operators aim to restore their capabilities. (Microsoft and ESET said their effort was separate from that of the U.S. government.)

However, Liviu Arsene, a global cybersecurity researcher for Romania-based security firm BitDefender, which has been tracking TrickBot, warned that the disruption could pave the way for other crime to resurge in TrickBot’s place.


“Ransomware is a multi-billion dollar business and if there’s anything we’ve learned from how ransomware has evolved over the past couple of years, it’s that ransomware is resilient and capable of quickly adapting to change,” he said.

Sean Lyngaas contributed reporting. 

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts