Microsoft takes down hacking network with potential to disrupt election


Microsoft obtained a court order to disrupt the largest botnet in the world.

Angela Lang/CNET

This story is part of Elections 2020, CNET’s coverage of the run-up to voting in November.

A group of tech companies dismantled a powerful hacking tool used by Russian attackers just three weeks before the US presidential election. On Monday, Microsoft announced actions against Trickbot, a Russian botnet that’s infected more than a million computers since 2016 and is behind scores of ransomware attacks. 

Cybersecurity experts have raised concerns about ransomware attacks casting doubt on election results. While a ransomware attack wouldn’t change votes and could only lock up machines, the chaos stirred by a cyberattack could create uncertainty on the outcome of the results. 

Election officials in most states have offline back-up measures in the event of a ransomware attack, but have a harder time tackling the disinformation that comes with getting hacked. Ransomware attacks are also a concern for local counties because they don’t have many cybersecurity resources.

Ransomware attacks have steadily increased over the last four years since Trickbot came online, and specifically target municipalities like schools, courts and hospitals. Trickbot is believed to be behind the ransomware attack on Universal Health Services, locking up computers in hundreds of hospitals in the US.

Now playing:
Watch this:

CISA director: Paper record key to keeping 2020 election…


Trickbot hasn’t affected any election infrastructure yet, as US officials noted that there have been no significant cyberattacks against the US election, but the takedown efforts announced on Monday closes off a powerful tool Russian hackers could’ve used to interfere with the election. 

“We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” Microsoft’s vice president of Customer Security and Trust Tom Burt said in a statement. 

The takedown came as a partnership between Microsoft and cybersecurity companies Symantec, ESET, Black Lotus Labs, NTT and FS-ISAC. Tech companies aren’t the only ones who had their sights set on Trickbot — the Washington Post reported on Oct. 9 that the US military launched cyberattacks against Trickbot to disrupt the world’s largest botnet. 

While that operation reportedly only took down Trickbot for about three days, the actions from Microsoft and the group of cybersecurity companies is expected to have a longer effect. Rather than using digital measures to take down the botnet, Microsoft went the legal route. 

The company filed a lawsuit in Virginia arguing that Trickbot violated Microsoft’s copyrights by using its software code for malicious purposes. Microsoft has used this argument to take down other hacking operations in the past, but the Trickbot takedown is the largest one yet. 

The court granted an order to allow Microsoft to disable IP addresses and servers used by Trickbot, and also block them from buying more servers. 

For years, the botnet had been particularly difficult to stop because it had a vast network of back-ups it could use. It had been primarily used for cybercrimes against banks and hospitals, but could have easily turned its targets onto election infrastructure. 

“Trying to disrupt this elusive threat is very challenging as it has various fallback mechanisms, and its interconnection with other highly active cybercriminal actors in the underground makes the overall operation extremely complex,” Jean-ian Boutin, head of threat research at ESET, said in a statement. 

The companies behind the takedown don’t expect the operators behind the world’s largest botnet to stay offline, and said they would continue taking legal actions if it rises again. 

Source Article