SecureMac, Inc.

U.S. Cyber Command attacks hackers

October 12, 2020

Amid growing concern about foreign interference in the November elections, military hackers at the United States Cyber Command have started attacking the Trickbot botnet. In this short article, we’ll tell you what’s happening and why it matters for the elections.

What is the Trickbot botnet?

Trickbot is botnet malware: malware that can be used to create networks of infected computers and then coordinate their activity. Originally a banking Trojan, the malware has evolved over the past several years and can now be used to spread ransomware and other forms of malware. It …

U.S. Cyber Command attacks hackers

Amid growing concern about foreign interference in the November elections, military hackers at the United States Cyber Command have started attacking the Trickbot botnet. In this short article, we’ll tell you what’s happening and why it matters for the elections.

What is the Trickbot botnet?

Trickbot is botnet malware: malware that can be used to create networks of infected computers and then coordinate their activity. Originally a banking Trojan, the malware has evolved over the past several years and can now be used to spread ransomware and other forms of malware. It is estimated that Trickbot has infected over 1 million computers worldwide.

Why does the military care?

Since Trickbot can be used to deploy ransomware, security experts see it as a potential threat to the digital infrastructure that will underpin the November elections. In addition, Trickbot is operated by Russian-speaking cybercriminals. Considering the fact that Russian military intelligence uses such threat actors in their campaigns to destabilize geopolitical rivals, it’s understandable that U.S. authorities see the malware as a possible attack vector that could be used to undermine the elections. 

What did U.S. Cyber Command do?

Security researchers who monitor Trickbot first noticed unusual disruptions to the botnet’s activity earlier this month. Configuration files had been sent to infected machines; these files instructed the computers to update the IP address of the Trickbot command and control (C&C) server used by the criminals who run the botnet. However, the IP specified in the new configuration files was the default “localhost” address that just points back to the individual computer itself. In other words, someone told Trickbot to disconnect itself from its controllers! 

In addition, the database used by the hackers to keep track of all of their infected machines was flooded with millions of new (and fake) entries, most likely in an attempt to confuse the bad guys and make it harder for them to use their botnet.

Several days ago, government officials anonymously confirmed to the Washington Post that the attacks were indeed the work of the U.S. Cyber Command.

What was the military’s goal?

The Trickbot botnet hasn’t been destroyed, and the cybercriminals have already restarted their operations. But analysts say that the full dismantling of Trickbot probably wasn’t the point of the military’s operations anyway.

The head of U.S. Cyber Command, Gen. Paul Nakasone, has outlined a strategy of “persistent engagement,” which largely consists of taking the fight to malicious actors — disrupting their activities and degrading their operational capabilities. In an August interview with the Washington Post, Nakasone made it clear where his organization’s focus was for the time being: “Right now, my top priority is for a safe, secure, and legitimate 2020 election”.

The goal of these latest operations was most likely to make life harder for the people who run Trickbot: to disrupt their activities and keep them so busy fixing their broken botnet that they can’t interfere with the upcoming election.

How does this affect me?

Trickbot infects Windows computers, so if you have a Windows machine, or if you use one at work or school, then you can be targeted by this malware. However, in a larger sense, it’s not just Windows users who are at risk. As the government’s concern over the malware indicates, Trickbot could become a tool used by adversaries looking to disrupt democratic elections, and as such, it has the potential to affect everyone.

The malware is often delivered via phishing emails, or sometimes through infected attachments or malicious URLs. So the best advice for individual users is to be mindful of the fact that any email, link, or attachment can, in principle, be malicious. Be extremely careful when handling emails from unknown senders — avoid clicking on links contained in these emails, or downloading any file attachments that they include. In addition, you may want to go over some general tips for spotting a phishing attack, and test yourself to see what you might need to review. Finally, as this truly is an issue that concerns everyone, consider talking about phishing with a “less-technical” friend or relative, both in order to raise awareness of the threat and also to help them protect themselves (and the rest of us) from it. 

Get the latest security news and deals