SEATTLE – Cyber security researchers questioned the effectiveness of Microsoft’s effort this week to disrupt a botnet it feared could snarl state and local computer systems to sow distrust of the upcoming presidential election.
The software giant said Monday that a court order it won from a federal judge in the Eastern District of Virginia to seize control of U.S.-based servers controlling the Trickbot botnet, a network of computers secretly infected by malware that can be controlled remotely. That allowed Microsoft to disrupt hackers’ ability to operate with the election a little more than two weeks away amid worries that they would spread ransomware to lock up election-reporting systems on election day, shaking the confidence of voters.
But the U.S.-based threat intelligence company Intel 471 found that Trickbot continues to operate four days after Microsoft’s seizure of the botnet’s U.S. servers. And the Swiss security site Feodo Tracker, found 18 such servers still active and sending out malware via spam, despite Microsoft’s efforts.
“They definitely disrupted them, but Microsoft’s actions have not altered the capability of Trickbot to do what they did before,” Intel 471 chief executive Mark Arena said.
Microsoft appears to have taken down all of the Trickbot command-and-control servers in the United States. As of Thursday afternoon, though, 11 servers outside the country that had been running before Microsoft’s action were still online, from Jakarta to Utrecht to Bogota, according to Intel 471 data.
What’s more, Trickbot’s operators brought another dozen servers online outside the United States, in cities including Amsterdam, Berlin and Moscow, Intel 471 found.
“The bad guys have learned,” Arena said. “They spread them out all over the world. They’ve built resilience and backups.”
Microsoft countered that it remains in the middle of its efforts to disrupt Trickbot.
“We believe we have succeeded in severely limiting Trickbot’s capabilities. Our disruption work is ongoing in the US and around the world, and third party reports do not reflect the current state,” Microsoft’s vice president of customer security and trust Tom Burt said in a statement.
Microsoft always anticipated that the hackers running Trickbot would move to restore its operations.
“We are actively tracking these efforts and executing additional and significant new steps toward continued disruption,” Burt said. The company declined to disclose what those steps are.
The botnet run by Trickbot operators includes at least 1 million infected computers, Microsoft has said, though other analysts peg the number at closer to 3 million devices. Those infected computers can be used to spread ransomware, as well as to send malicious spam email to unsuspecting recipients.
In fact, even after Microsoft’s action, Trickbot was used to spam malware in the United States Friday, said Roman Hüssy, security researcher at abuse.ch, the nonprofit group that operates Feodo Tracker. So far, Microsoft’s tactics appear at best to have disrupted Trickbot for a few days, Hüssy said, though he acknowledged that further actions could cause addition challenges to the botnet. But with so many command-and-control servers operating, and continuing to spam victims, Microsoft’s disruption campaign “doesn’t look very promising,” Hüssy said.
Though some botnet infrastructure was dismantled, the cyber criminals have moved to new servers and found ways to bring in new victims, said Alex Holden, chief executive of Milwaukee-based Hold Security. He said in the last few days, the botnet infected more than 1,000 new computers in the United States and beyond.
“Unfortunately,” he said, “a number of command and control servers are still active.”
In seizing control of the U.S. servers earlier this week that send instructions to the botnet, Burt raised the specter that Trickbot, run by Russian-speaking criminals, posed a “theoretical but real” threat to election integrity in an interview with The Washington Post. Microsoft feared Trickbot operators could launch ransomware attacks that wouldn’t alter actual election results, but rather hobble a precinct’s ability to report results, for example, undermining voter confidence.
Microsoft wasn’t alone in trying to disrupt Trickbot. In recent weeks, U.S. Cyber Command also launched a campaign against the botnet. And on Thursday, the European policy agency Europol arrested 20 people for allegedly belonging to an international ring that laundered millions of euros stolen by cybercriminals through malware schemes, and also aided Trickbot’s operators.
So while the effectiveness of Microsoft’s attempts to disrupt Trickbot are limited, the “triple whammy” of the company’s action along with Cyber Command and Europol will make hackers “less likely to use Trickbot to shoot out ransomware,” said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham.
The Washington Post’s Ellen Nakashima contributed to this report.