SEATTLE — After Microsoft seized the U.S. servers of a botnet it feared could snarl state and local computer systems to sow distrust of the presidential election, the software giant now claims the international operations of Trickbot have largely been shut down as well.
The U.S. seizures and the international cooperation with tech partners “has always been about disrupting Trickbot’s operations during peak election activity — doing what we can to take action at a critical time — and we’re encouraged by what we’re seeing,” Tom Burt, Microsoft’s vice president of customer security and trust, wrote in the blog post.
Trickbot, which is run by Russian-speaking criminals, posed a “theoretical but real” threat to election integrity by launching ransomware attacks, in which data is rendered inaccessible unless the victim pays a ransom, Burt told The Washington Post in an interview last week. Microsoft’s concern was not that the botnet could alter actual results, but rather that it could hobble election-reporting systems or other election technology that would shake the confidence of voters, especially those already on edge from President Trump’s unfounded assaults on the integrity of mail-in ballots.
Several days after Microsoft’s initial action, security researchers, such as Intel 471, questioned the effectiveness and noted Trickbot’s international operations still spreading malware. On Tuesday, though, Intel 471 said in a blog post that the global efforts were showing “success against Trickbot infrastructure.” It noted “a small number” of Trickbot command-and-control servers continue to operate in Brazil, Colombia, Indonesia and Kyrgyzstan.
Microsoft said it has now disabled 120 of the 128 servers it identified as Trickbot infrastructure around the world, including devices that came online after its initial action. The company, though, expects Trickbot operations to continue to find other ways to stay active.
“This is challenging work, and there is not always a straight line to success,” Burt wrote.
Microsoft efforts may also have been helped by U.S. Cyber Command, which launched its own campaign against Trickbot in recent weeks. And last week, the European policing agency Europol arrested 20 people for allegedly belonging to an international ring that laundered millions of euros stolen by cybercriminals through malware schemes and also aided Trickbot’s operators.