Microsoft seeks to disrupt Russian criminal hackers before US election
The botnets cause data to be inaccessible unless the victim pays a ransom
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Microsoft has taken legal steps to dismantle one of the world's largest botnets, an effort it says is aimed at thwarting criminal hackers who might seek to snarl state and local computer systems used to maintain voter rolls or report on election results.
The company obtained an order from a federal judge in the Eastern District of Virginia last week that gave Microsoft control of the Trickbot botnet, a global network it describes as the largest in the world. The company wants to disrupt hackers' ability to operate with the election barely three weeks away.
Run by Russian-speaking criminals, the botnet poses a "theoretical but real" threat to election integrity by launching ransomware attacks, in which data is rendered inaccessible unless the victim pays a ransom, said Tom Burt, Microsoft's vice president of customer security and trust.
Botnets are networks of computers secretly infected by malware that can be controlled remotely. They can be used to spread ransomware, as well as to send malicious spam email to unsuspecting recipients. Trickbot is malware that can steal financial and personal data, and drop other malicious software, such as ransomware, onto infected systems.
The fear isn't that an attack could alter actual results, but rather that it could shake the confidence of voters, especially those already on edge from President Donald Trump's unfounded assaults on the integrity of mail-in ballots. "Having just a few precincts report that they got disrupted and locked up and people couldn't vote or their ballots can't be counted – it'd just be pouring kerosene on the fire," Burt said.
As of Monday afternoon, the botnet was still active, according to private-sector researchers. The US-based threat intelligence company, Intel 471, found 19 active Trickbot command and control servers active around the world. Another, the Swiss security site Feodo Tracker, found at least a dozen such servers still active outside the United States.
Another firm, Milwaukee-based Hold Security, found a significant drop-about 75 per cent since September-in infected devices, but reported that the botnet was still continuing to infect computers in the United States, Europe and the Middle East and to deliver ransomware.
Burt said he expected remaining servers would be taken down "in the next few days" and as the botnet operators seek to rebuild their network, the firm will "take further action as needed."
Ransomware is one of federal officials' top concerns for the election. Christopher Krebs, who heads the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, said the types of harmful activities enabled by Trickbot, including ransomware, are clearly on the rise in the United States.
"With the US election already underway, we need to be especially vigilant in protecting these systems during this critical time," Krebs said in a statement to The Washington Post. "This action proves that when the defenders team up, we can adapt to cripple the bad guys and make meaningful progress in improving our cybersecurity."
Microsoft says the botnet run by Trickbot operators includes at least one million infected computers, and that it is the one most commonly associated with the distribution of ransomware. Other analysts say the network includes closer to three million infected computers.
In recent weeks, the US military has mounted an operation to temporarily disrupt Trickbot, hijacking its command and control servers to send out updates to all infected computers, effectively severing the communication between the victimised computers and the servers.
The operation by US Cyber Command is aimed in part at helping to secure the election, but also to more broadly damage a network that has ensnared state and local governments, banks, health-care institutions and research facilities in the United States and globally.
Cyber Command's efforts were not expected to permanently dismantle the network, but officials say even temporary disruption serves to distract criminals as they seek to restore operations.
The company obtained a temporary restraining order Tuesday, allowing it to seize internet addresses from eight hosting providers in the United States. The company is working with internet providers in other countries to hobble Trickbot's operations.
Microsoft has no evidence that the botnet ringleaders intended to seek to disrupt the election, Burt said. Rather, the firm was concerned about the botnet's potential to be used to fuel confusion, perhaps by locking up voter-registration or e-pollbook systems in the lead-up to and on Election Day.
Reporting systems or voter-registration sites are easier targets for hackers than the actual systems that count the ballots, which governments have worked to harden over the years.
Criminals have already used Trickbot against a major health-care provider, Universal Health Services, whose systems were crippled by the ransomware known as Ryuk. The attack forced staff to resort to manual systems and paper records, according to reports. UHS runs more than 400 facilities across the United States and Britain. Some patients reportedly were rerouted to other emergency rooms and experienced delays in getting test results.
Through their actions, Microsoft and internet providers in other countries sought to disable the botnet's command and control servers. Microsoft also sought to block any effort by the operators to lease or buy new servers, the firm said. The effort was timed to deprive botnet operators of the opportunity to rebuild their zombie army before the election, it said.
Microsoft was joined in its action by the Financial Services-Information Sharing and Analysis Center, a trade group of nearly 7,000 financial institutions focused on the sharing of global cyber threats to financial services.
Microsoft helped pioneer the use of court orders to dismantle botnets, dating to 2010, when it worked with global industry experts to shut down the Waledac botnet. In this case, besides claiming violations of federal hacking laws, Microsoft argued that the botmasters infringed its copyrights by distributing malware that incorporated Microsoft code without permission.
The Washington Post
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments