Infamous hacking network shut down by Microsoft resurfaces in time for US presidential election

A hacking network that was taken down by Microsoft in mid-October has resurfaced in time for the US presidential election.

The ‘Trickbot’ network infected over one million companies since 2016, installing dangerous malware and ransomware onto computers.

Microsoft obtained a court order to take control of the network and took it down.

“Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust,”  Microsoft Corporate Vice President Tom Burt, said at the time.

“Ransomware is one of the largest threats to the upcoming election,” he added.

This is because the software could potentially infect or disrupt election systems on the eve of Election Day, by targeting voter registration databases.

However, the notorious network has reappeared again, with the FBI having to issue a warning about the botnet.

“The cybercriminal enterprise behind TrickBot … has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization”, the agency wrote in an alert updated on 2 November.

“Cybercriminals disseminate TrickBot … via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware”.

At the end of October, the ransomware had been used to target US hospitals and healthcare providers.

This is because after Microsoft’s attempted takedown of the command and control (C&C) servers and domains botnet, that infrastructure was simply moved.

"Our estimate right now is what the takedown did was to give current victims a breather," a security researcher told ZDNet.

American intelligence officials have already raised concerns that Russian groups will use hacked networks to interfere in favour of president Donald Trump.

Officials did not make clear what they believed Russia planned to do but that they could potentially attempt to exacerbate disputes about the results by disrupting local computer systems.

Russian hackers did not manipulate voter data in 2016, but officials are concerned that their efforts were a test for future interference.

Although Microsoft took down all of the Trickbot command-and-control servers outside the United States, the botnet’s operators added another dozen servers in countries including Amsterdam, Berlin and Moscow.

“They definitely disrupted them, but Microsoft’s actions have not altered the capability of Trickbot to do what they did before,” said Mark Arena, thechief executive of threat intelligence company Intel 471.

“The bad guys have learned,” Arena continued. “They spread them out all over the world. They’ve built resilience and backups.”

Microsoft told the Washington Post that it believed it had severely limited Trickbot’s capabilities and that its disruption work continued around the world.

“Third party reports do not reflect the current state” of Microsoft’s actions, Burt said.

“We are actively tracking these efforts and executing additional and significant new steps toward continued disruption,” he added, but would not give more information on what those steps were.

However, it is not simply because of the technical ramifications of a botnet attack that make them so dangerous; during this election in particular, disinformation is also a severe threat.

“Whether it’s a nation-state or cybercriminal, whether the attack is successful or not, the biggest concern is the disinformation that will arise,” Allan Liska, an intelligence analyst at the cybersecurity firm Recorded Future, said in October. “It’s a worry because people already have shaky confidence.”

A ransomware attack could give credence to the claim that the election was rigged or hacked, something that president Trump has repeatedly claimed without evidence.