A little over a week ago, Microsoft announced that it has partnered with various cybersecurity and telecom firms to disrupt the Trickbot botnet as part of a U.S. court order that it secured. The company stated that this botnet is quite advanced and uses malware-as-a-service model to infect consumer machines and IoT devices with ransomware. While the identities of the operators of Trickbot are currently unknown, Microsoft stated that it has been used both for individual criminal operations as well as nation-state objectives, making it even more dangerous with the U.S. presidential elections looming.
Today, the company has provided more details on how it has disrupted Trickbot's network and has outlined what it plans to do next.
In a blog post, Microsoft has claimed that as of October 18, it has eliminated 94% of Trickbot's critical operational infrastructure since it began its operation a few days ago. Out of 69 major Trickbot servers identified, 62 have already been taken down and the malicious actors operating this botnet have been struggling to add new infrastructure. Microsoft stated that these criminals set up 59 new servers and that the company has disabled all of them, bringing the eliminated servers tally to 120 out of 128.
The Redmond tech giant has noted that since this is an active operation and a painstaking process with action being taken from the opposing side as well, expect these figures to change regularly. However, the company does have three key takeaways from its work so far.
First and foremost, since securing its initial court order allowing it to disable core Trickbot infrastructure a few days ago, Microsoft has procured several other court orders to ensure that other components of the infrastructure are taken down as well in a legal manner, and the company will continue doing so until election day on November 3. It has also been working with its global partners and hosting providers who have shared key information about the botnet to uncover new command-and-control servers as well as compromised IoT devices. The company will continue working with ISPs to ensure that compromised devices in households and businesses are remediated so these do not cause further harm.
Secondly, Microsoft has noticed that the individuals operating Trickbot have been scrambling to set up new infrastructure and collaborate with other criminals to deploy malicious payload, and while this move is not as dangerous as Trickbot's native capabilities, it is still something to keep your guard up against. The company says that the purpose of this operation has always been to disrupt the botnet during peak election activity, so the fact that the operators have had to divert their attention elsewhere is certainly positive with respect to the operation's success.
Lastly, Microsoft says that its Digital Crimes Unit is well-versed and highly-trained in Trickbot's infrastructure and identifying malicious activities, and will continue to disrupt the botnet's operation in the coming weeks. It has established direct contact with local ISPs, telecom companies, and global partners who are monitoring and sharing information about Trickbot's activities 24/7. The company says:
We fully expect that Trickbot’s operators will continue looking for ways to stay operational, and we and our partners will continue to monitor them and take action. We encourage others in the security community who believe in protecting the elections to join the effort and share their intelligence directly with hosting providers and ISPs that can take Trickbot’s infrastructure offline. As this work continues, it will be important to focus on the collective impact to Trickbot’s capabilities between now and the election, rather than to focus on potentially misleading simplified snapshots from any single moment in time.
Microsoft has also recommended that people directly involved in the elections to utilize the company's tooling such as AccountGuard, Microsoft 365 for Campaigns, and Election Security Advisors to protect themselves from similar threats.