Posted October 12, 2020
Amid growing concern about foreign interference in the November election, military hackers at the United States Cyber Command have begun attacking the Trickbot botnet. In this short article we will tell you what is happening and why it matters for the election.
What is the Trickbot botnet?
Trickbot is botnet malware: malicious software that can be used to network infected computers and then coordinate their activity. Originally a banking trojan, malware has evolved in recent years and can now be used to spread ransomware and other forms of malware. It is estimated that Trickbot has infected over 1 million computers worldwide.
Why does the military care?
Since Trickbot can be used to distribute ransom money, security experts see it as a potential threat to the digital infrastructure that will support the election in November. In addition, Trickbot is run by Russian-speaking cybercriminals. Given that Russian military intelligence uses such threatening actors in its campaigns to destabilize geopolitical rivals, it is understandable that US authorities see malicious software as a possible attack vector that could be used to undermine the election.
What did the US Cyber Command do?
Security researchers monitoring Trickbot first discovered unusual disruptions to botnet activity earlier this month. Configuration files had been sent to infected machines; these files instructed the computers to update the IP address of the Trickbot command and control (C&C) server used by the criminals running the botnet. However, the IP address specified in the new configuration files was the default “localhost”
In addition, the database that hackers used to keep track of all their infected machines was flooded with millions of new (and fake) entries, most likely in an attempt to confuse the villains and make it harder for them to use the botnet.
Several days ago, government officials anonymously confirmed to Washington Post that the attacks were in fact the work of the US Cyber Command.
What were the goals of the military?
The Trickbot botnet has not been corrupted, and cybercriminals have already restarted. But analysts say full dismantling of Trickbot was probably not the point of military operations anyway.
The head of the US Cyber Command, General Paul Nakasone, has outlined a strategy for “sustained engagement”, which largely consists of taking the fight to malicious actors – disrupting their activities and disrupting their operational capabilities. In an August interview with Washington Post, Nakasone made it clear where the organization’s focus so far was: “Right now, my top priority is for a safe, secure and legitimate election in 2020”.
The goal of these recent operations was most likely to make life more difficult for the people who run Trickbot: to disrupt their activities and keep them so busy fixing the broken botnet that they cannot disrupt the upcoming election.
How does this affect me?
Trickbot infects Windows computers, so if you have a Windows computer or if you use one at work or school, you may be targeted by this malicious software. In a larger sense, however, it is not just Windows users who are at risk. As the government’s concern about malicious software indicates, Trickbot can become a tool used by opponents who want to disrupt democratic elections, and as such, it can affect anyone.
Malware is often delivered through phishing emails, or sometimes through infected attachments or malicious URLs. So the best advice for individual users is to be aware of the fact that any email, link or attachment can be harmful in the first place. Be extremely be careful when handling emails from unknown senders – avoid clicking on links in these emails, or download any attachments that they include. In addition, you may want to go through some general tips for detecting a phishing attack, and test yourself to see what you need to review. Finally, as this is really a question that concerns everyone, you should consider talking about phishing with a “less technical” friend or relative, both to raise awareness of the threat and also to help them protect themselves (and the rest of us) from it.