Microsoft looks to eliminate malware that could disrupt elections

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Imagine malware, planted somewhere in your infrastructure, that can morph as the news and people’s concerns change. That becomes a mechanism for malware-as-a-service to launch destructive ransomware attacks. That’s exactly that the cybersecurity community is facing in Trickbot, which threatens to disrupt the upcoming elections. Now Microsoft has taken action against Trickbot. For what’s going on, Federal Drive with Tom Temin turned to Microsoft vice president for customer security and trust, Tom Burt.

Interview transcript:

Tom Temin: Tom, good to have you on.

Tom Burt: Thanks for having me Tom.

Tom Temin: Before we get to the lawsuit that Microsoft filed today, let’s talk about Trickbot itself. It’s a cute sounding name — what is it and what should we be worried about with it?

Tom Burt: Well, Trickbot is actually one of the most infamous botnets that has been out there over the last several years. And by botnet I mean a network of computers all working at the control of a single criminal syndicate. They’ve infected millions, in this case, at least a million computers around the world with their own malware. And then that lets them control those computers and use them for a wide range of cybercrime activities.

Tom Temin: So they have a platform in other words that they have implanted.

Tom Burt: That’s right, it’s an implanted platform, a network of computers that they can control, they can steal credentials and steal financial information and effectively steal your money — and Trickbots been used for that quite extensively. So the financial community really doesn’t like this botnet at all.

Tom Temin: And how does it get implanted in the first place?

Tom Burt: They use a range of techniques to get the malware on your computer. The most popular by far is phishing. So when you accidentally click on some link in an email, or you answer some threat that you’re about to have, your Netflix account is going to expire better click here and enter your information, all those kinds of things that the bad guys do to phish so that they get access to your computer, the first thing they do is silently download this little bit of malware onto your computer.

Tom Temin: And then that can be used for more malware and more phishing exploits from that platform.

Tom Burt: That’s right. They can use it to steal your money in your information but they can also use it to expand their network of infected devices and use it for cyber criminal activities.

Tom Temin: So yesterday Microsoft did something on the legal front. Tell us what you have done and what you hope to accomplish with that.

Tom Burt: Well yesterday we announced work that actually has been going on over many months, and the legal part of it started last week that enabled us to go to court and get an order that allowed us to take down the core infrastructure that the criminals use to communicate with all their victim computers. And so they use a whole range of IP addresses for that purpose. We were able to get those IP addresses blocked or taken down so that we effectively broke the communication between the cyber criminals and all of their infected devices.

Tom Temin: Isn’t this something that you would think is law enforcement’s domain rather than a private company? What’s the legal mechanism that you can do this under?

Tom Burt: It’s really been a great work that we’ve been doing now for many years. This is the 23rd time now that our botnet team in the Digital Crimes Unit here at Microsoft has taken down one of these cyber criminal botnets. This is maybe one of the most infamous and complicated ones. But it’s an area where we’ve developed great expertise. And when we can, we’ve worked with law enforcement, both here in the United States and globally, to help make sure that the impact of this work is as large as it possibly could be. What we do is we go to court and we allege to the judge that this criminal activity violates a range of different legal statutes. And in this case, we added one for violation of our copyright rights because this particular botnet was reusing our SDKs in order to create the malware that they were putting on victim computers. So we had four or five different legal claims, all of which amounted to these are bad bad guys, and they are hurting our customers, that hurts our reputation, and the trust our customers have in us. We have the right to take some action to stop this and the courts have agreed.

Tom Temin: And what have you learned about this bot other than the mechanism by which it operates? For example, who’s directing it? What country does it originate in?

Tom Burt: We have limited data to enable us to know who is operating it beyond the fact that it does appear that it’s being operated from Eastern European countries. And whether that’s one country or multiple countries, we don’t know there have been others who have reported that they believe it’s controlled from individuals operating from Russia. Whether that’s true or not, we don’t have evidence to have a strong conclusion about that. But Eastern Europe does seem to be the source of the control.

Tom Temin: So you’re taking a practical approach in ending the efficacy of this platform, this botnet, rather than what’s probably impossible, which is to prosecute and stop the people in court because even if you get a injunction against them, how are you going to enforce it if they’re in Eastern Europe or Russia?

Tom Burt: Yeah, it makes it very challenging in this borderless world called the internet for law enforcement to have the impact they would like to have. But despite that, we do refer these cases to law enforcement for possible investigation and prosecution. We referred this one to the FBI back in April. And in the past, we have done botnet takedowns where the FBI has had the ability working with the Department of Justice to conduct an investigation, identify individuals, indict them and convict them. And then when those individuals leave to go to some other country, they have on occasion been arrested, extradited, prosecuted, tried, convicted, and there’s actually a few people in prison in the United States today as a result botnet work we did in the past.

Tom Temin: And getting back to Trickbot — in your research, you have discovered that ransomware is one of the attacks that has been launched by it and that has affected some state and local governments with respect to elections.

Tom Burt: Trickbot is well known to be one of the most significant pipelines for the distribution of ransomware. And they are associated with a couple of particular types of ransomware. One of the reasons we wanted to do this take down and do it before the election is because we like CISA in DHS are very concerned about the risk that ransomware attacks potentially could pose to the upcoming election. And we thought that by taking down one of the largest pipelines for the distribution of ransomware, we could help reduce that risk. But it’s really important people understand we’re not saying we’ve eliminated the risk, we all need to stay absolutely vigilant about this particular risk and continue to work hard to ensure that our elections are safe and secure.

Tom Temin: In other words, it could infect a local jurisdiction and stop all of its data processing to use the old fashioned word in return for a ransom otherwise counts or election rosters of local voters, that kind of thing could be out of play.

Tom Burt: That’s right. Chris Krebs, the director of CISA specifically warned about the chance that ransomware could be used, for example, to completely stop access to voter registration rolls, or to disrupt the reporting of voting results by tying up the entire system demanding a ransom. And you can imagine a world where pure cyber criminals could be doing that as a leverage point to get paid, just as we’ve seen in these many, many ransomware attacks against state and local municipalities that have occurred over the last 12 months or so. We could also imagine a nation state trying to interfere with our election doing this not because they care about getting paid, but because they want to disrupt the election and maybe never providing the key to unlock the data that they’ve tied up with ransomware.

Tom Temin: And having taken the action you have taken with the sanction of a court, aren’t these botnets like hydros, you cut off one head that could resurrect itself in some other vector? And is it therefore a never ending kind of sword fight that you have with these types of botnets?

Tom Burt: It’s absolutely true that the problem of botnets continues to exist, even though, as I mentioned in our case, we’ve taken down 23 of them. But what we have found is when we do this, and we do it in this comprehensive way, it takes a long time for these cyber criminals to rebuild all of the infrastructure they need in order to conduct their criminal enterprise. So do we take them out so they never come back? No, that would require that law enforcement component that you mentioned, which is so hard to do. But what we do is we significantly impede them, we raise their costs, and we slow them down quite a bit. I mean, think about the time and resources it takes to invent this malware to create the very complex structure that these particular guys had working in sites all around the globe for this particular botnet, and then infecting a million or more computers, that’s a lot of time, it’s a lot of money. And that’s all gone now. They have to start from scratch.

Tom Temin: And as a practical matter, what can an organization do to discover if such a botnet component of any botnet, Trickbot or otherwise, exists on your own infrastructure? Is there a way to detect it and root it out?

Tom Burt: Well, now that we’ve taken this botnet down, we work with the ISP and with international organizations, the certs in various countries, because we can now work to identify where those victim computers are, information about them, and then those entities and others can help clean the malware off those devices. But the best things people can do to avoid being the target of a botnet is have two factor authentication established on all of your accounts. It’s not perfect. I’m not saying that it is. But Microsoft data shows that more than 99% of all successful attacks in the last year would have been prevented if two factor authentication had been installed on those devices.

Tom Temin: Tom Burt is vice president for customer security and trust at Microsoft. Thanks so much for joining me.

Tom Burt: Thank you, Tom.

Related Stories