The Washington PostDemocracy Dies in Darkness

Microsoft further disrupts botnet, after initial efforts showed limited effect

The software giant, aiming to thwart election disruption, hobbled Trickbot’s command-and-control servers abroad after last week’s seizure of the botnet’s U.S.-based devices

By
October 20, 2020 at 2:23 p.m. EDT
The New York store of Microsoft, which Tuesday disclosed additional efforts to hobble the Trickbot botnet that it feared could disrupt the 2020 presidential election. (Mark Kauzlarich/Bloomberg)

SEATTLE — After Microsoft seized the U.S. servers of a botnet it feared could snarl state and local computer systems to sow distrust of the presidential election, the software giant now claims the international operations of Trickbot have largely been shut down as well.

Security researchers had questioned the effectiveness of Microsoft’s efforts to thwart the Trickbot botnet, a network of computers secretly infected by malware that can be controlled remotely, after seeing international servers still active and sending out malware via spam late last week. But Tuesday, Microsoft said its continuing efforts with global partners eliminated 94 percent of Trickbot’s “critical operational infrastructure,” including “command-and-control servers” when the company first seized U.S.-based servers and new infrastructure Trickbot’s operators tried to bring online.

The U.S. seizures and the international cooperation with tech partners “has always been about disrupting Trickbot’s operations during peak election activity — doing what we can to take action at a critical time — and we’re encouraged by what we’re seeing,” Tom Burt, Microsoft’s vice president of customer security and trust, wrote in the blog post.

Microsoft seeks to disrupt Russian criminal botnet it fears could seek to sow confusion in the presidential election

Trickbot, which is run by Russian-speaking criminals, posed a “theoretical but real” threat to election integrity by launching ransomware attacks, in which data is rendered inaccessible unless the victim pays a ransom, Burt told The Washington Post in an interview last week. Microsoft’s concern was not that the botnet could alter actual results, but rather that it could hobble election-reporting systems or other election technology that would shake the confidence of voters, especially those already on edge from President Trump’s unfounded assaults on the integrity of mail-in ballots.

Several days after Microsoft’s initial action, security researchers, such as Intel 471, questioned the effectiveness and noted Trickbot’s international operations still spreading malware. On Tuesday, though, Intel 471 said in a blog post that the global efforts were showing “success against Trickbot infrastructure.” It noted “a small number” of Trickbot command-and-control servers continue to operate in Brazil, Colombia, Indonesia and Kyrgyzstan.

Microsoft said it has now disabled 120 of the 128 servers it identified as Trickbot infrastructure around the world, including devices that came online after its initial action. The company, though, expects Trickbot operations to continue to find other ways to stay active.

Security firms call Microsoft’s effort to disrupt botnet to protect against election interference ineffective

“This is challenging work, and there is not always a straight line to success,” Burt wrote.

Microsoft efforts may also have been helped by U.S. Cyber Command, which launched its own campaign against Trickbot in recent weeks. And last week, the European policing agency Europol arrested 20 people for allegedly belonging to an international ring that laundered millions of euros stolen by cybercriminals through malware schemes and also aided Trickbot’s operators.