WASHINGTON — Microsoft organized 35 nations on Tuesday to take down one of the world’s largest botnets — malware that secretly seizes control of millions of computers around the globe. It was an unusual disruption of an internet criminal group, because it was carried out by a company, not a government.
The action, eight years in the making, was aimed at a criminal group called Necurs, believed to be based in Russia. Microsoft employees had long tracked the group as it infected 9 million computers around the world, hijacking them to send spam emails intended to defraud unsuspecting victims. The group also mounted stock market scams and spread ransomware, which locks up a computer until the owner pays a fee.
Over the past year, Microsoft’s Digital Crimes Unit has been quietly lining up support from legal authorities in countries around the world, convincing them that the group had seized computers in their territories to conduct future attacks.
“It’s a highway out there that is used only by criminals,” Amy Hogan-Burney, the general manager of the Digital Crimes Unit and a former FBI lawyer, said Tuesday. “And the idea that we would allow those to keep existing makes no sense. We have to dismantle the infrastructure.”
The team struck Tuesday, from an eerily empty Microsoft campus. Tens of thousands of workers had been ordered to stay home because the area near the headquarters in Redmond has been a hot spot for the novel coronavirus. But taking down a botnet, the company concluded, was not a work-from-home task.
After cleansing the Digital Crimes Unit’s command center to eliminate any live viruses, a small team of Microsoft workers gathered in a conference room at 7 a.m., flipped on their laptops and began coordinating action against another kind of global infection.
As soon as a federal court order against the Necurs network was unsealed, they began prearranged calls with authorities and network providers around the world to strike Necurs at once, cutting off its connections to computers around the globe.
“Was Mongolia hit? I think it was in the court order,” one Microsoft employee asked. There was debate about Somalia — “a very last-minute win,” another noted — and discussion of the fact that Nevis, the Caribbean island, was both the birthplace of Alexander Hamilton and an unwitting host for a small element of the botnet.
“Tajikistan?” one person in the room asked, looking for it to turn green on a map overhead, indicating that the botnet had been neutralized there. “No joy yet.”
Rapidly, they took over or froze 6 million domain names that Necurs was using or had inventoried for future attacks. A domain name can be a website — www.nytimes.com is a legitimate one, for example — but Necurs had created an algorithm to spawn millions of new domains, often with deceptive names, for future use against unsuspecting victims. Microsoft engineers had cracked the code.
Domain names are sold around the world, a profitable business, but Hogan-Burney said she had no illusions that the group would be permanently disabled. “We’ve cut off their arms, for a while,” she said.
Necurs is not believed to be a state-sponsored Russian group. But intelligence officials say it is tolerated by the Russian state, and on regular occasions the Kremlin’s intelligence services use private actors to pursue their goals. The Internet Research Agency, which mounted the social media disinformation campaign on Facebook and other platforms during the 2016 U.S. presidential election, was a private group, though founded by a close friend of President Vladimir Putin of Russia.
By Tuesday’s end, there was satisfaction that, for the 18th time in 10 years, Microsoft had taken down a digital criminal operation. But it was unclear whether anyone would be indicted, or even if indicted, whether they would ever face a trial.
Microsoft executives acknowledged that this was a game of whack-a-mole, and that the creators of Necurs and groups like it would be back.
“The cybercriminals are incredibly agile,” said Tom Burt, the executive who leads Microsoft’s security and trust operations, “and they come back more sophisticated, more complex. It is an ultimate cat-and-mouse game.”
The next battlefield, he said, would be the 2020 presidential election.
“We expect the volume and sophistication of the adversary attacks to accelerate as we get closer to Election Day,” he said.
“They will play many of the same moves they used in 2016,” Burt said. “But they will use others as well,” including the possibility of ransomware that locks up local voter registration systems, a major fear of election officials across the United States.
“The trick this time is to be ready, agile and aware that we have to be one step ahead,” he said.