Microsoft and a team of companies and law enforcement groups have disabled — at least temporarily — one of the world’s largest hacking operations, an effort run by Russian-speaking cybercriminals that officials feared could disrupt the presidential election in three weeks.
But as soon as Microsoft began dismantling the operations last week, seeking to cripple a network of infected computers known as TrickBot that has been used to paralyze computer systems with ransomware attacks, it discovered that someone else was trying to do the same thing.
In a separate but parallel effort — which was apparently not coordinated with Microsoft — U.S. Cyber Command, the military cousin to the National Security Agency, had already started hacking TrickBot’s command and control servers around the world late last month, according to two government officials.
The one-two punch painted a picture of the accelerating cyberconflict underway in the final weeks before the elections. Cyber Command, following a model it created in the 2018 midterm elections, kicked off a series of covert preemptive strikes on the Russian-speaking hackers it believes could aid President Vladimir Putin in disrupting the casting, counting and certifying of ballots this November. Meanwhile, Microsoft, Symantec and other American companies are doing the same.
TrickBot is their biggest target yet. A vast network of infected computers, known as a botnet, TrickBot has been used for everything from stealing people’s online banking credentials to attacking towns, cities and hospitals with ransomware, malware that locks up victims’ computers until they pay a ransom, often in Bitcoin. So far, TrickBot has not been directed at voting infrastructure, officials say. But it would be well suited to turn against the offices of the secretaries of state who certify tallies, vulnerable voter registration systems or electronic poll books, the records that allow people to vote.
“Just imagine that four to five precincts were hit with ransomware on Election Day,” said Tom Burt, the Microsoft executive overseeing the team that has been dismantling TrickBot.
“Talk about throwing kerosene on this unbelievable discussion of our elections and about whether the results are valid or not,” Burt said. “It would be a huge story. It would churn on forever. And it would be a huge win for Russia. They would be toasting with vodka well into the next year.”
“That is a risk I want to take out,” he said.
Burt said he did not know for sure where the TrickBot operators were based beyond Eastern Europe. But they are Russian-speaking and have developed their tools into a sophisticated, profitable operation. They not only infect computers, but also catalog lists of infected computers and sell access to valuable systems to other cybercriminals looking to commit banking fraud or lock them up with ransomware.
The list of victims has expanded to include cities in Florida, courts and school districts in Georgia, The Los Angeles Times, the city of New Orleans and state agencies in Louisiana, and, in recent weeks, one of the largest medical cyberattacks in U.S. history after ransomware delivered through TrickBot hijacked more than 400 hospitals run by Universal Health Services.
What connection, if any, TrickBot’s operators share with the Kremlin remains an open question. But the acceleration of ransomware attacks on U.S. municipalities and government agencies has led U.S. officials and executives at Microsoft to fear that ransomware attacks will be used to lock up election systems in November, either on direct orders from a state eager to undermine American democracy or by cybercriminals who figure the urgency around the election would increase pressure on victims to pay.
In interviews late last week, when the court orders enabling Microsoft to act were still under seal, executives at the company and other firms said they had carefully timed their operations to put Russian cybercriminals on their heels weeks before the election, hoping to disrupt anything they, or the Kremlin, had planned.
“These TrickBot operators are the best,” said Eric Chien, a leading researcher at Symantec who was one of the first to identify Stuxnet, the code written by the United States and Israel to attack Iran’s nuclear centrifuges a decade ago. “If these tools were used in the election, in hindsight people would feel very bad. We’d ask, ‘Why did we wait?’”
Cyber Command appears to have asked the same question. While the command never discusses its operations, at least in advance, its commander, Gen. Paul M. Nakasone, and his senior adviser, Michael Sulmeyer, wrote in Foreign Affairs in August that “we realized that Cyber Command needs to do more than prepare for a crisis in the future; it must compete with adversaries today.”
According to Intel 471, a security firm, there were two attacks on the TrickBot infrastructure before Microsoft received court authorization a week ago to begin its operations. The blog Krebs on Security reported the attacks.
Those two attacks, on Sept. 22 and Oct. 1, apparently conducted by Cyber Command, infiltrated TrickBot’s command and control servers and temporarily cut off cybercriminals’ access to thousands of infected PCs that have been used as a primary conduit for global ransomware attacks.
Last week several officials said the attacks appeared to be the work of Cyber Command, and The Washington Post reported the same on Friday. But experts say it is unclear if any of these operations will put the hackers behind TrickBot out of business permanently.
Instead, it may be a signal to the Kremlin that any interference will be met in kind.
The initial attacks did not last long. TrickBot’s operators were able to reclaim access to their infected computers within half a day.
Microsoft’s subsequent takedown effort is different, and potentially more damaging. The company asked a federal court in Virginia to force web-hosting providers to take TrickBot’s operators offline, arguing that cybercriminals were violating the United States’ Digital Millennium Copyright Act by using Microsoft’s code for malicious purposes.
Burt said Microsoft began strategizing how to take down TrickBot as early as April but waited until October to act, fearing that an earlier move would give Russia’s hackers time to regroup by November.
The catalyst, Burt said, was seeing that TrickBot’s operators had added “surveillance capabilities” that allowed them to spy on infected computers and note which belonged to election officials. From there, he and other experts speculated, it would not be difficult for cybercriminals, or state actors, to freeze up election systems in the days leading up to the election and after.
“We don’t know if this is Russian intelligence,” Burt said, “but what we know is TrickBot is, by volume, the key distribution pipeline for ransomware and that it would be really easy for state actors to contract with TrickBot to distribute ransomware with the goal of hacking election systems. That risk is real particularly given that so much of the ransomware is targeting municipalities.”
TrickBot first appeared in 2016 as banking malware and was primarily used to steal online banking credentials. But over the past four years, TrickBot has evolved into a “cybercrime as a service” model.
“TrickBot’s botnet has infected hundreds of thousands, if not millions of computers,” said Mark Arena, Intel 471’s chief executive.
Its operators started cataloging the computers they infected, noting which belonged to large corporations, hospitals and municipalities, and selling access to infected computers to cybercriminals and state actors.
Over the past year, TrickBot has become the primary delivery mechanism for the Russian-speaking cybercriminals behind a specific variant of ransomware, known as Ryuk, that has been paralyzing American hospitals, corporations, towns and cities. Its operators were also recently caught selling access to a subset of TrickBot’s infected computers to North Korea’s state-sponsored hackers.
The fear among officials at the Department of Homeland Security, the FBI and the National Security Agency was that its operators would simply hand that same access to Russia’s state hacking groups for free.
Some security researchers caution that there is no evidence to suggest that the ransomware attacks plaguing American networks have anything to do with Russian intelligence, and that reporting the fear U.S. government officials have only creates undue alarm. But others point to attacks on the Georgian government by cybercriminals at the direction of the Kremlin and a breach at Yahoo. In that attack, two Russian agents at the FSB, the successor to the KGB, teamed up with two cybercriminals to hack 500 million Yahoo accounts, allowing criminals to profit while mining their access to spy on journalists, dissidents and U.S. officials.
They also note that when the Treasury Department imposed sanctions on members of an elite Russian cybercrime group in December, they outed the group’s leader as a member of the FSB.
“The ties between the Russian intelligence services and the country’s thriving cybercriminal element are well established,” said John Hultquist, the director of threat intelligence at the cybersecurity firm FireEye. “Criminals have been used to target the Georgian government, to compromise Yahoo. Services like the FSB who are charged with cybercrime law enforcement as well as intelligence collection are in a unique position to bargain with criminals who are already compromised and in need of their protection.”
“Russia is well aware that the cybercriminals it harbors have become a serious problem for its adversaries,” Hultquist added. “Russian cybercriminals are probably a greater threat to our critical infrastructure than their intelligence services. We should start asking whether their tacit approval of cybercrime is not just a marriage of convenience but a deliberate strategy to harass the West.”