Special Report: Microsoft, Cybersecurity Organizations Worked Unknowlingly in Tandem with CyberCom to Disrupt Trickbot

Goal was to prevent election-related ransomware attacks by the Russian criminals; botnet disrupted but not permanently disabled

In a move designed to protect the upcoming election, Microsoft and a crew of cybersecurity companies and organizations have disrupted Trickbot, a Russian language hacking operation, through a coordinated action that, unbeknownst to the companies, occurred at the same time U.S. Cyber Command was also attempting the same feat. Microsoft’s executive who had been overseeing the team conducting the operation made it clear that the top concern was ransomware hitting major voting jurisdictions come election day.

If that were to happen, it “would be a huge story. It would churn on forever. And it would be a huge win for Russia. They would be toasting with vodka well into the next year,” Microsoft’s Tom Burt said. FS-ISAC, ESET, Lumen's Black Lotus Labs, NTT, and Broadcom's cyber-security division Symantec were also part of the operation. (David Sanger and Nicole Perlroth / New York Times)

As Brian Krebs points out, Microsoft accomplished its attack using a legal maneuver to gain control over many Internet servers Trickbot uses to plunder infected systems based on novel claims that the crime machine abused the software giant’s trademarks. Although the U.S. District Court for the Eastern District of Virginia granted Microsoft that request, the operation didn’t disable the botnet entirely but temporarily disrupted it so that it is no longer be able to initiate new infections or activate ransomware already dropped into computer systems.

Krebs, who first reported that someone was messing with Trickbot, also says that according to real-time information posted by Feodo Tracker, a Swiss security site that tracks Trickbot, six of the botnet’s servers are still live and responding to requests. (Brian Krebs / Krebs on Security)

Related: Microsoft, Databreaches.netCyberscoopCyberscoopBleeping Computer, ZDNet, EngadgetKrebs on Security, Bloomberg, Engadget, Washington Post, SecurityWeekReddit - cybersecurity, EngadgetDataBreaches.net

Nicole Perlroth @nicoleperlroth
Some security researchers balked last month when we reported that DHS/FBI/NSA fear ransomware could interfere in the election. Meanwhile, US Cyber Command was busy attacking a primary conduit for ransomware attacks in a preemptive strike before election.
nytimes.com/2020/10/12/us/…

Katie Nickels @likethecoins

When reading any written work, analysts should examine the assessment and the evidence provided. To me, the evidence supporting the hypothesis that these ransomware attacks are related to election interference is minimal and I disagree with the implied assessment. https://t.co/uTBrZ3Ixpv

Check out our special report from Saturday on Cybercom’s efforts to disrupt Trickbot.

While you’re checking out these special reports, sign up for our free newsletter so that you don’t miss our daily updates or our special reports.

Sign Up for Free Newsletter

Photo by Tadas Sar on Unsplash