Why is U.S Cyber Command & Microsoft looking to dismantle ‘Trickbot’?

Original article was published by Faisal Khan on Artificial Intelligence on Medium


Why is U.S Cyber Command & Microsoft looking to dismantle ‘Trickbot’?

Apparently, One of the largest botnets online may pose a threat to U.S election integrity by launching ransomware attacks

When it comes down to fighting international cybercrime, the global software giant, Microsoft has always been at the forefront. From dismantling the Waledac botnet in 2010 to earlier this year, when the big tech pinned down Thallium — a nation-state hacker group backed by North Korea. Microsoft took down 50 domains that Thallium was using to conduct its nefarious activities.

Of course, that does not stop every malicious activity on the internet. Constant and vigilant monitoring is required to keep these bad players at bay. Ransomware is one of the most popular forms of cybercrimes via which cybercriminals encrypt users’ data and then demand payment — usually in cryptocurrency — to unlock the data. And the malicious network in question today is a Russian botnet called Trickbot. For your information, Botnets are networks of computers secretly infected by malware that can be controlled remotely, and this is one of the biggest ones out there.

Microsoft has now obtained a temporary restraining order from the courts — allowing it to seize Internet addresses from eight hosting providers in the United States, who are facilitating Trickbot’s operations. In recent weeks, U.S Military’s Cyber Command has also been involved in trying to temporarily disrupt Trickbot. Cyber Command’s actions are not expected to permanently dismantle the network, but to preemptively disrupt the botnet’s operations to secure the U.S Presidential elections.

Run by Russian-speaking criminals, the botnet poses a “theoretical but real” threat to election integrity by launching ransomware attacks, in which data is rendered inaccessible unless the victim pays a ransom.”

~ Tom Burt, Microsoft’s VP, Customer Security & Trust.

So why is U.S cyber command so worried about this particular botnet? Researchers believe that the same botnet has been used to deliver ransomware to municipalities in the United States as well as software vendors that service these cities, over the last year. It is also the same botnet that launched a ransomware attack Ryuk, against a major health-care provider, a few weeks ago. Universal Health Services (UHS) runs more than 400 facilities across the United States and Britain. No wonder they are little on the edge.

Although neither Microsoft nor the Cyber Command has any proof of the botnet leaders conspiring to disrupt the U.S elections, the botnet can be certainly used to fuel confusion, either by locking up voter-registration or e-poll book systems in the lead-up to and on Election Day & President Trump’s relentless assaults on the integrity of mail-in ballots is not helping the case. The authorities are not really worried that the election results could be altered, but that one foul move can shake the confidence of the voters.

”I firmly believe that we’re on the verge of a global emergency. With the U.S. election already underway, we need to be especially vigilant in protecting these systems during this critical time.”

~ Christopher Krebs, Head of CISA

Trickbot operators include at least 1 million infected computers, according to Microsoft research. Other analysts estimate that the network includes closer to 3 million infected computers. A court order has now given Microsoft control of the Trickbot botnet’s operations in the United States. The company now has the authority to seize Internet addresses from eight hosting providers in the country, and also to disable the botnet’s command and control servers.

Microsoft has been joined in this endeavor by the Financial Services-Information Sharing and Analysis Center — a trade group of nearly 7,000 financial institutions focused on the sharing of global cyber threats to financial services. The collaboration extends to Internet providers in other countries as well, where similar actions can be executed in addition to blocking any effort by the Trickbot operators to lease or buy new servers.

Even these collective actions are not expected to permanently dismantle the network, as it operates internationally. The whole purpose seems to give the authorities in the U.S enough time to conduct the elections in a free & impartial manner as the cybercriminals look to restore their network. One thing is for sure, fighting cybercrime is going to be an ongoing battle.

Stay informed with the content that matters — Join my mailing list