A group of tech companies dismantled a powerful hacking tool used by Russian attackers just three weeks before the US presidential election. On Monday, Microsoft announced actions against Trickbot, a Russian botnet that’s infected more than a million computers since 2016 and that’s behind scores of ransomware attacks.
Cybersecurity experts have raised concerns about ransomware attacks casting doubt on election results. While a ransomware attack wouldn’t change votes and could only lock up machines, the chaos stirred by a cyberattack could create uncertainty about the outcome of the results.
Election officials in most states have offline backup measures in the event of a ransomware attack, but have a harder time tackling the disinformation that comes with getting hacked.
It’s not just the US government racing to disrupt the Trickbot botnet ahead of elections. Microsoft has revealed that it and multiple partners (including ESET, Lumen’s Black Lotus Labs, NTT, Symantec and FS-ISAC) have taken steps to disrupt Trickbot. The tech giant obtained a court order and used “technical action” to prevent the botnet from either starting new infections or activating any dormant ransomware.
The company’s court approval let it disable IP addresses for Trickbot’s command-and-control servers, suspend services to the operators, make server content inaccessible, and block the operators from buying or leasing more servers. On top of this, Microsoft even make copyright claims against Trickbot for reportedly makign “malicious use” of the company’s code.
Microsoft was primarily concerned that Trickbot’s operators would use the botnet to disrupt the imminent US election through ransomware. Attackers could lock down systems maintaining voter rolls or reporting on election night results, the
The effort is part of what Gen. Paul Nakasone, the head of Cyber Command, calls “persistent engagement,” or the imposition of cumulative costs on an adversary by keeping them constantly engaged. And that is a key feature of CyberCom’s activities to help protect the election against foreign threats, officials said.
“Right now, my top priority is for a safe, secure, and legitimate 2020 election,” Nakasone said in August in a set of written responses to Washington Post questions. “The Department of Defense, and Cyber Command specifically, are supporting a broader ‘whole-of-government’ approach to secure our elections.”
Trickbot is malware that can steal financial data and drop other malicious software onto infected systems. Cyber criminals have used it to install ransomware, a particularly nasty form of malware that encrypts users’ data and for which the criminals then demand payment — usually in cryptocurrency — to unlock.