Microsoft disrupts Russian criminal botnet it fears could seek to sow confusion in the presidential election
Run by Russian-speaking criminals, the botnet poses a “theoretical but real” threat to election integrity by launching ransomware attacks, in which data is rendered inaccessible unless the victim pays a ransom, said Tom Burt, Microsoft’s vice president of customer security and trust.
Botnets are networks of computers secretly infected by malware that can be controlled remotely. They can be used to spread ransomware, as well as to send malicious spam email to unsuspecting recipients. Trickbot is malware that can steal financial and personal data, and drop other malicious software, such as ransomware, onto infected systems.
The fear isn’t that an attack could alter actual results, but rather that it could shake the confidence of voters, especially those already on edge from President Trump’s unfounded assaults on the integrity of mail-in ballots. “Having just a few precincts report that they got disrupted and locked up and people couldn’t vote or their ballots can’t be counted — it’d just be pouring kerosene on the fire,” Burt said.
Ransomware is one of federal officials’ top concerns for the election. Christopher Krebs, who heads the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, said the types of harmful activities enabled by Trickbot, including ransomware, are clearly on the rise in the United States. “I firmly believe that we’re on the verge of a global emergency,” he said in a statement to The Washington Post.
“With the U.S. election already underway, we need to be especially vigilant in protecting these systems during this critical time,” Krebs said. “This action proves that when the defenders team up, we can adapt to cripple the bad guys and make meaningful progress in improving our cybersecurity.”
Microsoft says the botnet run by Trickbot operators includes at least 1 million infected computers, and that it is the one most commonly associated with the distribution of ransomware. Other analysts say the network includes closer to 3 million infected computers.
In recent weeks, the U.S. military has mounted an operation to temporarily disrupt Trickbot, hijacking its command and control servers to send out updates to all infected computers, effectively severing the communication between the victimized computers and the servers. The operation by U.S. Cyber Command is aimed in part at helping to secure the election, but also to more broadly damage a network that has cast a wide net, ensnaring state and local governments, banks, health-care institutions and research facilities in the United States and globally.
Cyber Command’s efforts were not expected to permanently dismantle the network, but officials say even temporary disruption serves to distract criminals as they seek to restore operations. Microsoft’s attempts may yield more lasting effects, analysts say, if it is successful in depriving the network of backup servers.
The company obtained a temporary restraining order Tuesday, allowing it to seize Internet addresses from eight hosting providers in the United States. The company is working with Internet providers in other countries to hobble Trickbot’s operations.
Microsoft has no evidence that the botnet ringleaders intended to seek to disrupt the election, Burt said. Rather, the firm was concerned about the botnet’s potential to be used to fuel confusion, perhaps by locking up voter-registration or e-pollbook systems in the lead-up to and on Election Day. Reporting systems or voter-registration sites are easier targets for hackers than the actual systems that count the ballots, which governments have worked to harden over the years.
Criminals have already used Trickbot against a major health-care provider, Universal Health Services, whose systems were crippled by the ransomware known as Ryuk. The attack forced staff to resort to manual systems and paper records, according to reports. UHS runs more than 400 facilities across the United States and Britain. Some patients reportedly were rerouted to other emergency rooms and experienced delays in getting test results.
Hackers have used the same ransomware to target a Defense Department contractor, the city of Durham, N.C., and a technology vendor for nursing homes, Microsoft said.
Tyler Technologies, which sells data management software to U.S. cities and counties, acknowledged that its systems were hit by ransomware. Some of that software can be used to share election results, though that is not the company’s primary focus.
Through their actions, Microsoft and Internet providers in other countries sought to disable the botnet’s command and control servers and backup servers. Microsoft also sought to suspend all services to Trickbot operators and block any effort by the operators to lease or buy new servers, the firm said. The effort was timed to deprive botnet operators of the opportunity to rebuild their zombie army before the election, it said.
Joining Microsoft’s lawsuit was the Financial Services Information Sharing and Analysis Center, a trade group of more than 4,400 banks and financial institutions focused on the sharing of global cyber threats to financial services.
Microsoft helped pioneer the use of court orders to dismantle botnets, dating to 2010, when it worked with academic and global industry experts to shut down the Waledac botnet. In this case, besides claiming violations of federal hacking laws, Microsoft also argued that the botmasters infringed its copyrights by distributing malware that incorporated Microsoft code without permission.
In a blog post, Burt said he anticipated that the criminals would seek to reconstitute the botnet and that Microsoft and its partners will take additional steps to stop them.
