Through Cyber Command (CyberCom), the U.S. government has mounted an operation to disrupt the Trickbot botnet, the world’s largest botnet, which is run by Russian-speaking criminals who have hijacked millions of computers to engage in malfeasance, including ransomware attacks, according to officials who spoke to the Washington Post’s Ellen Nakashima. The operation isn’t expected to scuttle Trickbot permanently but is part of what the head of Cyber Command Paul Nakasone calls “persistent engagement” to force adversaries to engage constantly.

Cybersecurity journalist Brian Krebs first reported on the Trickbot operation last week without identifying Cyber Command as the disruptor. Citing research conducted by cyber intelligence firm Intel 471, Krebs noted that someone was messing around with the botnet, launching two attacks against Trickbot and pushing new configuration files that told the infected hosts their new malware control server had the address 127.0.0.1, which is a “localhost” address that is not reachable over the public Internet.

briankrebs @briankrebs

On Oct. 2, KrebsOnSecurity reported that someone was screwing with the Trickbot botnet, disconnecting infected systems from their overlords and stuffing the botnet with millions of fake victim records. WaPo now reports this was U.S. Cyber Command's doing: Report: U.S. Cyber Command Behind Trickbot TricksA week ago, KrebsOnSecurity broke the news that someone was attempting to disrupt the Trickbot botnet, a malware crime machine that has infected millions of computers and is often used to spread ransomware. A new report Friday says the coordinated attack was part of an operation carried out by the U…krebsonsecurity.com

October 10th 2020

81 Retweets229 Likes

Cyber Command ostensibly tried to aim its disruptive cyber actions against the Trickbot crew to protect the upcoming elections. The military intelligence arm is widely credited with warding off serious foreign adversary cyberattacks during the 2018 midterm elections.

But ransomware is a growing scourge that seems unstoppable and CyberCom could have also been spurred on by a Trickbot-enabled ransomware attack last month against a major health-care provider, Universal Health Services (UHS), one of the nation’s top health care providers whose systems were locked up by the ransomware known as Ryuk. Computer systems for 400 UHS systems were locked down for days, forcing staff to use pen and paper, potentially jeopardizing thousands of patients' health care.

Underscoring the seriousness of the attack, Senator Mark Warner (D-VA) just yesterday sent a letter to the UHS CEO asking him to answer a series of questions related to the attack. “As one of the nation’s largest medical facility operators with 3.5 million patient visits a year, it is imperative that medical care is provided to all patients without any interruption or disturbance created by inadequate cybersecurity,” he wrote.

Despite the CyberCom effort, the Trickbot gang hasn’t stopped its operations. It appears that the cybercriminals are in fact back to their old tricks, as Catalin Cimpanu suggested in a tweet.

Catalin Cimpanu @campuscodi

Must have not been a successful one. TrickBot was up to its old ... uhm... tricks yesterday

Techmeme @Techmeme

US Cyber Command says it has temporarily disrupted the Trickbot botnet, an army of 1M+ hijacked computers run by Russian-speaking criminals, ahead of elections (@nakashimae / Washington Post) https://t.co/vvR5zSCjHh https://t.co/u4qyz7jShL

October 10th 2020

5 Retweets20 Likes

Cimpanu might be referring to a malware operation aimed at exploiting Donald Trump’s COVID-19 illness. Hackers sent emails phishing emails purporting to link to the status of Trump’s health. Users were instead tricked into downloading the BazaLoader backdoor, a kind of trojan commonly linked to the developers of the TrickBot hacking tool.

Image by Department of Defense - Department of Defense, Public Domain

Share