Microsoft takes down hacking network with potential to disrupt election

This story is part of Elections 2020, CNET’s coverage of the run-up to voting in November.

A group of tech companies dismantled a powerful hacking tool used by Russian attackers just three weeks before the US presidential election. On Monday, Microsoft announced actions against Trickbot, a Russian botnet that’s infected more than a million computers since 2016 and that’s behind scores of ransomware attacks. 

Cybersecurity experts have raised concerns about ransomware attacks casting doubt on election results. While a ransomware attack wouldn’t change votes and could only lock up machines, the chaos stirred by a cyberattack could create uncertainty about the outcome of the results. 

Election officials in most states have offline backup measures in the event of a ransomware attack, but have a harder time tackling the disinformation that comes with getting hacked. Ransomware attacks are also a concern for counties because they don’t have many cybersecurity resources.

Ransomware attacks have steadily increased over the four years since Trickbot came online, and they’ve targeted municipal institutions like schools, courts and hospitals. Trickbot, the world’s largest botnet, is believed to be behind last month’s ransomware attack on Universal Health Services, which locked up computers in hundreds of hospitals in the US.

Trickbot hasn’t affected any election infrastructure yet, and US officials have noted that there haven’t been significant cyberattacks against the US election, but the takedown announced Monday closes off a powerful tool that Russian hackers could’ve used to interfere with the election. 

“We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” Microsoft’s vice president of customer security and trust, Tom Burt, said in a statement.

The cybersecurity arm of the Department of Homeland Security expressed its gratitude for the work by Microsoft and its partners to disrupt the operation.

“The types of harmful activities enabled by TrickBot, including ransomware attacks, are clearly on the rise in the U.S. and I firmly believe that we’re on the verge of a global emergency,” Cybersecurity and Infrastructure Security Agency director Chris Krebs said in a statement. “And with the U.S. election already underway, we need to be especially vigilant in protecting these systems.”

How the TrickBot takedown went down

The takedown came about through a partnership between Microsoft and cybersecurity companies Symantec, ESET, Black Lotus Labs, NTT and FS-ISAC. Tech companies aren’t the only ones who had their sights set on Trickbot — the Washington Post reported on Oct. 9 that the US military launched cyberattacks against Trickbot. 

While that operation reportedly took down Trickbot for only about three days, the actions by Microsoft and the group of cybersecurity companies are expected to have a longer-term effect. Rather than using digital measures to take down the botnet, Microsoft went the legal route. 

The company filed a lawsuit in Virginia arguing that Trickbot violated Microsoft’s copyrights by using its software code for malicious purposes. Microsoft has used this argument to take down other hacking operations in the past, but Trickbot is the largest one yet. 

The court granted an order to allow Microsoft to disable IP addresses and servers used by Trickbot, and also block them from buying more servers. 

For years, the botnet had been particularly difficult to stop because it had a vast network of backups it could use. It had been primarily used for cybercrimes against banks and hospitals, but could have easily turned its targets onto election infrastructure. 

“Trying to disrupt this elusive threat is very challenging as it has various fallback mechanisms, and its interconnection with other highly active cybercriminal actors in the underground makes the overall operation extremely complex,” Jean-ian Boutin, head of threat research at ESET, said in a statement. 

The companies behind the takedown don’t expect the operators behind the world’s largest botnet to stay offline, and said they would continue taking legal actions if it rises again.