October 10, 2020

A week ago, KrebsOnSecurity broke the news that someone was attempting to disrupt the Trickbot botnet, a malware crime machine that has infected millions of computers and is often used to spread ransomware. A new report Friday says the coordinated attack was part of an operation carried out by the U.S. military’s Cyber Command.

Image: Shutterstock.

On October 2, KrebsOnSecurity reported that twice in the preceding ten days, an unknown entity that had inside access to the Trickbot botnet sent all infected systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control compromised Microsoft Windows computers.

On top of that, someone had stuffed millions of bogus records about new victims into the Trickbot database — apparently to confuse or stymie the botnet’s operators.

In a story published Oct. 9, The Washington Post reported that four U.S. officials who spoke on condition of anonymity said the Trickbot disruption was the work of U.S. Cyber Command, a branch of the Department of Defense headed by the director of the National Security Agency (NSA).

The Post report suggested the action was a bid to prevent Trickbot from being used to somehow interfere with the upcoming presidential election, noting that Cyber Command was instrumental in disrupting the Internet access of Russian online troll farms during the 2018 midterm elections.

The Post said U.S. officials recognized their operation would not permanently dismantle Trickbot, describing it rather as “one way to distract them for at least a while as they seek to restore their operations.”

Alex Holden, chief information security officer and president of Milwaukee-based Hold Security, has been monitoring Trickbot activity before and after the 10-day operation. Holden said while the attack on Trickbot appears to have cut its operators off from a large number of victim computers, the bad guys still have passwords, financial data and reams of other sensitive information stolen from more than 2.7 million systems around the world.

Holden said the Trickbot operators have begun rebuilding their botnet, and continue to engage in deploying ransomware at new targets.

“They are running normally and their ransomware operations are pretty much back in full swing,” Holden said. “They are not slowing down because they still have a great deal of stolen data.”

Holden added that since news of the disruption first broke a week ago, the Russian-speaking cybercriminals behind Trickbot have been discussing how to recoup their losses, and have been toying with the idea of massively increasing the amount of money demanded from future ransomware victims.

“There is a conversation happening in the back channels,” Holden said. “Normally, they will ask for [a ransom amount] that is something like 10 percent of the victim company’s annual revenues. Now, some of the guys involved are talking about increasing that to 100 percent or 150 percent.”


55 thoughts on “Report: U.S. Cyber Command Behind Trickbot Tricks

  1. Paul but not that one

    The easiest way and treasury is trying to implement this, is to to forbid orgs from paying any ransom. This is the only cure.

    1. Naugahyde

      There is a law that forbids US organizations from paying ransomware demands. However, that doesn’t work well when lives are on the line. Not sure I can post a link, but search for “ransomware death” and you’ll see an abundance of articles.

      1. Dave Horsfall

        Then those systems should never have been connected to the Internet; not running a fundamentally insecure system like Windoze would also help…

        1. SkunkWerks

          “fundamentally insecure system”.

          AKA: ANY system

    2. Rcaslow

      there is the FCPA and a new enforcement action with OFAC… but its still only as strong as the enforcement

  2. purpleslog

    Can’t anybody in the US intelligence Community keep their gosh darn mouth shut?

    1. One Flew Over My House

      I’ve felt like that sometimes (“Can’t you all keep a secret?!”), but the.. garbage I’m in the middle of here in Georgia, folks like these in Brian’s article and the newest higher ups in Georgia.. it feels like they’re deliberately getting right up in the faces of these [expletives].

      Pushing them. Letting them know IT’S COMING DOWN THE PIKE like a runaway freight train, and there’s NOTHING the perpetrators can do to stop it.

      1. Phil

        But in the latter part of this blog post, it’s made clear that the disruption was nothing more than a shakedown. For that to avoid having been for nothing, there needs to be a follow up that goes well beyond anything we’ve seen yet

        It’s mentioned here that the disruption might have been only for the coming election, which makes it sound like the US Cyber Command will forget to finish their attack

        Troubling that news has broken well before the operation ought to have concluded. Now the crooks will be regrouping and weeding out the weaker points of their operations. For sure they already are reading this blog post

      2. JamminJ

        Military operations at this scale won’t be secret for long, so might as well tell the story first.

        It’s like bombing a city… people will find out, so why let the story get told first by the other side. Tell the offensive side first, so they can’t lie about it not being so bad.

    2. Peter S. Shenkin

      When considering intelligence leaks, it is always worth remembering that the leaks might be intentional. For example, to distract the attacked organization while a deeper intrusion is being prepared. Or to monitor the attack response to gain deeper insight into the operations. Etc.

    3. Yeah but ...

      I suspect this was a deliberate leak to send a message because the action was largely over with.

  3. Myopia

    How about unleashing a massive DDoS on their C&C servers

  4. Veronica

    fyi…re: Ransomeware and U.S. Regulations

    The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an advisory on ransomware. This was not about the cybercrime itself, but instead, the regulatory trouble your organization could face for facilitating ransomware payments. The OFAC advisory on these cybercrime payments specifically warns financial institutions, cyber insurance firms, and companies that facilitate payments on behalf of victims that they may be violating OFAC regulations. The Treasury Department says more companies are paying ransom to cybercriminals, and the worldwide pandemic is a part of this: “Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely… Read more

    1. JamminJ

      Problem with OFAC, if you’ve ever seen the list… is that they name individuals, groups, countries.
      But ransomware ransoms are paid to bitcoin addresses, and they are NOT listed on OFAC.
      There should be some due diligence to see if the address is linked to a sanctioned entity… but the whole point of cryptocurrency is to obfuscate the recipient, so good luck with that.
      Prosecuting any company that pays a ransom is going to be tough, because they can legitimately believe that the ransom isn’t going to a sanctioned entity.

  5. Michael Schumann

    What is really needed is to identify all of the infected computers and automatically block them from accessing the internet.

    1. Christoph Schmees PC-Fluesterer. info

      🙂
      what a brilliant idea!

      1. Logan Carroll

        @micheal Schuman hey bud idk about you but I’d rather not have a government agency blocking my ip from the open internet. The reason being well I’m going to put this plain and simple. If someone or some entity out their attempted a block like this based off knowledge they gained….. How? You a fucking idiot. You strike me as the kid sitting around the little kids table on thanks giving, and you see a relative also sitting at the little children’s table. Instead of saying hello you look at his pumpkin pie slice and it’s bigger than yours. You then set about disrupting dinner because it’s not fair!! I can see you being that whiny little brat whom doesn’t even understand the simple concept that life in itself isn’t fair. You also sound like you very little of any knowledge about how a bit net works and how the different agency’s collect and distribute said data. I’m going to hope you have ZERO political power because a lunatic like you would abuse that power. Fyi what do you think about Snowden hero or villain? Just curious?

        1. Bob

          Dude, your comment just makes you seem deranged.

          Argue with a person’s points, and refute them with data. Ad-hominem attacks just turn everyone off to your position.

    2. InterestedReader

      In my opinion for sure they need to do something with the PCs that are the targets. With so many of them there won’t be “one solution fits all”. Ideally you cut the head of the snake and it dies, but there are way to many snakes to replace it. So severely reduce their army of infected computers.

  6. Admin User

    stopped reading at ‘washington post’ – it’s a C.I.A. mouthpiece and his been so for years.

    C.I.A. et al have interfered in 100x more elections that all the ‘russian botnets’ that ever existed.

    Don’t believe me? Google ‘CIA election interference’

    And that’s just the ones they let us know about.

    1. Stratocaster

      “ Google ‘CIA election interference’ ”

      Now THERE’s a rigorously designed research strategy.

  7. Notme

    Ahh just what I needed for my morning coffee and paranoia time. Thanks comment section!

  8. Janine

    Let’s just hope that we don’t crash 75% of the world’s VPN ISP as thwarting botnets involves telling ISP to reject ranges of IP addresses, including VPNs. Your VPN could be coming to a halt or not usable sometime soon.

  9. JCitizen

    It’s about time our government did SOMETHING about “cyber” crime!!

    1. Roger Nebel

      …do you really believe this was the first time?…

      1. JCitizen

        I should hope not, but how many times were we promised a “cyber security czar” by past administrations, only to disappear from the news? This is at least the first really positive news I’ve heard in a long while! Especially what I consider aggressive action; which is what I prefer.

    2. Mark Giles

      Some people denounce this story for revealing too much information. Others demand to know what else is being done.

      You can’t please all of the people all of the time, or fulfill contradictory requirements.

  10. Steve C#

    This sounds like a shot across the bow that they have drawn the attention of the American Federales.

    1. Some Dude

      This sounds most likely.

      Cyber Command isn’t going to act against any old international crime ring unless they have specific intelligence about specific operations targeting specific systems that Cyber Command has deemed critical to national interests.

      And this month there’s 3000+ County election systems that meet that criteria. Some criminal org probably thought they would try their luck ransoming some county elections systems and NSA sent them a little reminder of where they are in the cyber food chain.

  11. king james

    really wondering why the security services cannot contact computer owners involved to advice. Seems all the cyber criminals find usa a soft target for attacks.

    1. Robert

      Why don’t we contact them? There are multiple reasons:

      1) It is time consuming and therefore expensive.

      2) You have to figure out who to contact.

      3) Having done a few of these contacts, and not have the street cred Krebs has, the reception is mostly chilly and hostile.

      In a few cases, I’ve been able to ID someone the compromised person knew and had them do the introductions, which made things go smoother, but mostly people will ignore you.

  12. Robert Scroggins

    I’m glad we are doing something to protect our election. The operation was probably worth the effort, but it’s too bad that they are up and running again. Of course…Cyber Command could be up and running again too. At any rate, the bad guys will have to think about this for awhile and wonder if there is anything else coming their way.

    Regards,

  13. John B

    Seems like the only way to stop cybercrime is to get rid of cybercoins like bitcoin and the Tor browser. Then the flow of money would be easier to follow and easier to prosecute for those countries that we have extradition treaties with. Then you are down to just 4 countries who believe in theft and destroying democracy: N. Korea, Iran, China and Russia.

    1. Logan Blaise Carroll

      Hey John B. Your an American? You don’t sound like one and stop crypto coins hub? I’m literally spitting up coffee reading your comment. Your my good man are fucking raving. Not only that but you have very little knowledge of networks or the infestructure and mechanics of how our finicial sector operate. Ten years from now you won’t recognize the current financial system. The biggest threat to democracy seem to be the very I’ll old men and women that make up the krebs comment section including yourself. Am I’ll informed most likely baby boomer pos that gets ALL of their information about computers and networking from krebs. I’m sure you then go sit around the break table at whatever 20th century job your work at…. And talk about your deep knowledge and understand such matters as the ones you comment about here. Jesus christ you and some of the other posters here actually make me happy for the day you baby boomers/ 1960s babies die the fuck off. You lack understand and your obnoxious and quite frankly the most in american pos I’ve seen on here. Kill yourself faggot.

      1. John B

        Logan, yes i am an american and i still feel that getting rid of cybercurrency and the Tor network would eliminate the anounomous element that cybercriminals so depend on. Now if you disagree with me that is your right but i will not sink to your level of insults to validate your lack of a courteous response. You might take a look at the words you chose to use and reconsider who you are and your right to an opinion. I offered mine. You are welcome to yours as long as you keep it respectful. If you cannot do this then perhaps you don’t belong on this excellent network by a top notch reporter, Brian Krebs. Keep it up and you’ll be screened out.

      2. JamminJ

        If this is the defense of cryptocurrency… then it’s having the opposite effect. This vulgar rant makes it seem that cryptocurrency is indeed only used by / defended by immature kids, criminals, and/or greedy speculators.

  14. Joseph

    There needs to be more american cybercriminals hackers attacking russian networks. This must be encouraged and praised like they do for us. Tit for tat.

    1. AJ

      ruaaia has over 760K computer techs on their payroll a d US only has 46k

      we have better fighter jets

      thats pretty much how it evens out in a way, but we are undermanned as far as stopping them :\

      1. Rob

        @AJ This made me laugh I don’t disagree with your sentiment about fighting back. If we can’t outsmart them lets beat them up makes me think of the high school quarterback dealing with the smart kids who make them feel dumb.

        There are more ways to fight first off sheer numbers don’t determine victory. I’ve known a few Russian software engineers (not hackers) most very gifted but none of them what I would consider peerless in their talents.

        Other tools economic sanctions isolation from the rest of the world both digitally and physically via no fly and extradition with other nations. This is a war that will not be won by decisive victories but by attrition. Nothing worthwhile is every been easily achieved this is no different.

        Other people have pointed out other perspectives on the how.

        @JohnB keep in mind you cannot give up freedom to achieve security. In the end you wont have either. I am of course paraphrasing Benjamin Franklin

        @Logan Nothing wrong with the older generations remember you would not be here without them. They see the world differently then we do it does not make them less valid. In fact we should be drawing strength from their perspective and experience rather then disregarding it even if we don’t agree or use it. In some situations they will have ideas you would not have even considered.

        1. John B

          Rob, appreciate your response and wisdom. Like everyone i am searching for effective tools and the bad guys work through being anonymous and digital currency facilitates that. They also use the Tor network and ironically they do not contribute to the very network they depend on by making monetary contributions despite all the gigantic ransoneware thefts they make. I thought of this as i made a contribution to Tor in light of their layoffs taking place because of a lack of funds. You’d think the bad buys would want to fund the Tor Network. Just some thoughts and thanks for your mature comments. Never seen such a rude comment as done by Logan.

  15. J Cunningham

    I think they may have done it a little to early, but what do I know?

    1. C Tech

      100% agreed. Now trickbots admins are able to patch the issue and the current technique used to disrupt the botnet will no longer work. I hope cyber command have another trick up their sleeve for this and other exploits otherwise we’re pretty screwed if they still decide to target the election boxes

      1. Rob

        I could be wrong but always assume they have not played their full hand especially if they are telling you about what they did.

  16. Corbin Jessop

    Awesome! it’s about time the NSA wielded its power to shut these clowns down…. they can do more.. and they should do more…

  17. Kim

    My sentiments exactly. The insanity of it all. But the drama oc it all! The good guys vs. The bad guys.

    Collateral damage irrelevant.

  18. Kim

    Correction. My comment was directed to Dave H. And damn those spell checks.

Comments are closed.