Persistently Engaging TrickBot: USCYBERCOM Takes on a Notorious Botnet
For the first time, it appears, U.S. Cyber Command has conducted a disruption operation against a non-state actor outside the context of war. Here’s what you need to know.
Published by The Lawfare Institute
in Cooperation With
In a special episode of Risky Business in May, Patrick Gray and I spoke about the growing wave of harm caused by ransomware and the possibility that, at some point, this harm might cross a threshold warranting intervention by government agencies other than the usual law enforcement entities. More to the point, we speculated about the possibility of “releasing the hounds” in the form of operations that might be conducted by militaries or intelligence agencies to disrupt the capabilities of the most problematic ransomware crews.
Four months later, it appears that one or two hounds have indeed been released.
Ellen Nakashima of the Washington Post reported on Oct. 9 that U.S. Cyber Command (USCYBERCOM) has conducted operations to disrupt the functions of TrickBot—a malware package distributed across and enabling a massive botnet controlled by an organized crime group that has not been specifically identified but that is usually described as Russian speaking (if not actually Russian) and quite sophisticated in terms of its technical capabilities and operational security. USCYBERCOM, of course, has conducted operations against non-state actors before (see the war with the Islamic State and Joint Task Force-Ares), but this appears to be the first publicly confirmed instance in which it has done so outside the context of armed conflict (notably, Nakashima’s story relies on disclosures from four “U.S. officials,” but USCYBERCOM itself declined to comment).
Before digging into the USCYBERCOM story in more detail, I should note that Microsoft today revealed its own effort to disrupt TrickBot. Acting in collaboration with a group of private-sector companies and researchers, Microsoft last week obtained a court order allowing it to seize at least some of the command-and-control (C2) servers used by TrickBot’s operators (apparently on a copyright violation theory). As more details emerge about that story, I may post about it. For now, though, let’s focus on USCYBERCOM’s intervention.
1. What exactly is TrickBot?
TrickBot is a malware package that emerged in 2016, with a focus at that time on draining bank accounts. It was certainly effective as a tool to inject malware into banking systems, but it was not limited to that functionality. TrickBot forms a botnet (that is, a network of infected machines subject to some extent of control by the botnet’s operator), one that is capable not only of exfiltrating information (such as bank account login credentials) to C2 servers but also of receiving new capabilities and instructions. In 2018, for example, TrickBot received updated ransomware capabilities. By 2019, descriptions of TrickBot depicted it as supporting a wide spectrum of attacks, with modular capabilities ranging from remote-viewing-and-control of infected machines, to extraction of credentials and other data, to deployment of ransomware such as Ryuk. Between 1 million and 3 million devices, worldwide, may be infected with TrickBot.
2. Who uses TrickBot?
Like many botnets, TrickBot is at least at times used not only by its unidentified operator (again, widely thought to be a Russian-speaking crew) but also for hire. That is, TrickBot is an example of malware-as-a-service. Not just anyone can access the malware, however. As described in this Intel471 report, a would-be user of TrickBot’s capabilities has to have a considerable track record in the underground world of cybercrime even to begin conversations to get in on the operations. That said, it is intriguing to note that North Korean agents on at least one occasion appear to have secured access to TrickBot in order to deliver their own malware.
3. There are many botnets. Why should the U.S. government be especially concerned about TrickBot?
First: The collective harm from ransomware is on the rise, and TrickBot happens to be a particularly capable vehicle for delivery of ransomware. This alone might warrant special attention to this botnet. The fact that this only addresses part of the general ransomware problem is an argument for further action of this kind, not an argument against trying even this initial step. USCYBERCOM’s decision to extend the “persistent engagement” model to this non-state scenario, from this point view, might best be understood as a prototype effort.
Second: The possibility that state actors might exploit it as well (and not just for ransomware) adds to the concern, with the North Korean’s use of TrickBot showing that this fear is not mere speculation. The widespread belief that TrickBot’s operators speak Russian, along with the Russian government’s history of working with and through organized crime entities, perhaps adds to this concern.
Third: There is the upcoming election in the United States. This is the specific concern cited in Nakashima’s article breaking the news about USCYBERCOM’s intervention: a desire to throw sand in the gears of TrickBot in the final weeks prior to the election, thereby reducing the chances that the botnet will be used by someone (whether its operators or a hostile government renting its services) to drop ransomware targeting systems linked to the election. I should emphasize that the article does not suggest there is specific intelligence indicating someone’s intent to use TrickBot in this way, but it certainly is possible that such intelligence exists and that this is what prompted USCYBERCOM to extend its persistent engagement activities to this particular scenario. (Indeed, it could also be that there is information available to USCYBERCOM that points to state actors intending to use TrickBot for election-related ends; that’s pure speculation on my part, however.)
Fourth: The impact of ransomware on medical providers, in particular, is an issue of mounting concern. As it happens TrickBot apparently was the vector for delivery of the Ryuk ransomware in the high-profile September attack on Universal Health Services, which resulted in computer shutdowns impacting some 400 health care institutions in the U.S. and the U.K.
4. What exactly did USCYBERCOM do to TrickBot?
A week before U.S. officials disclosed to the Washington Post that it had intervened against TrickBot, Brian Krebs had reported that something was afoot, drawing on the work of cyber threat intelligence firm Intel 471.
First, on Sept. 22 and again on Oct. 1, someone had managed to harness the TrickBot control infrastructure in order to issue a revised configuration file to infected machines, providing a new IP address for their C2 server. The idea was straightforward: Cut off the infected machines from the operators’ control by redirecting their C2 pathway to the address 127.0.0.1 (the “localhost” address, which in practical terms redirects software back to the local machine and, thus, functions as a dead end for communications purposes).
Second, Krebs reported that another intelligence firm (Hold Security, which tracks data that TrickBot harvests) had detected a massive increase in the volume of records yielded by TrickBot. The firm concluded that this was not the fruit of TrickBot’s own efforts but, rather, that someone had someone managed to inject a vast flood of apparently bogus records into TrickBot’s system, perhaps burying or obscuring the real records in the process. If nothing else, this move would have created a lot of resource-consuming headaches for TrickBot’s operators as they set about to fix the mess.
5. So…did it work?
Of course, it is very hard to answer that question with any confidence, from the public’s perspective, given the limited information available. Setting that aside, however, the public information reveals this much:
First, consider whether this intervention seems successful from a disruption perspective. Not all machines infected with TrickBot will have received the updated config file redirecting messages to the dead end, but certainly many did. Alas, TrickBot apparently has an emergency backup communications capacity, according to the Krebs report, and thus it is possible that TrickBot’s operators will manage to replace the dead-end directive with a revised config file of their own. And reports indicate that the network does seem to be operating relatively normally once again. This suggests that the intervention was successful only briefly. But USCYBERCOM apparently ran this play twice already, and it could be in a position to do this repeatedly over time (indeed, it could be that each time TrickBot’s operators restore their own control over the botnet, they may by the same token be restoring the ability of USCYBERCOM to hijack that control to issue another dead-end directive to the infected machines). Certainly, the world is better off with TrickBot repeatedly disrupted in this way, even if its operators are able to restore functions each time.
From that perspective, it’s also worth noting that USCYBERCOM’s persistent engagement model presumes that the imposition of “friction”—in the form of the time, money, management and resources that a target must reallocate to respond to interventions—is itself a major benefit of disruptive operations, especially if the friction can be sustained over time. On this view, the operations not only have moments of direct disruptive impact, but they also consume scarce target resources and thus in opportunity-cost terms reduce the target’s overall capability to cause harm. The right way to understand USCYBERCOM’s actions thus might be that we are looking at the early stages of a sustained friction-imposition program, not just a one-off shot across their bow.
Speaking of a shot across their bow: I should note, too, that disruption is not necessarily the only goal for USCYBERCOM in this instance. Deterrence matters too, and it is possible that another intended feature of USCYBERCOM’s actions was to send a highly credible signal to TrickBot’s operators that USCYBERCOM is indeed willing and able to take direct action in their networks (whether through a technical access it has established, or—don’t forget this possibility—a human asset working from the inside).
On this view, USCYBERCOM has begun with a modest intervention, yet plainly could escalate the intensity of the move. Combined with the unusual decision to confirm to the Washington Post that USCYBERCOM was behind this intervention, and that story’s emphasis on the risk of election interference, it could be that there is a message here for TrickBot’s operators: Don’t screw with the U.S. election. That would make this somewhat analogous to the 2018 episode in which USCYBERCOM directly communicated to various Russian actors that it had access to their systems and would be monitoring to ensure they did not engage in election interference.
And that perhaps is the bottom line for this episode as it currently stands: A few hounds have been released, but there are more and bigger ones still in the kennel.
[Editor’s note: This post was updated on 10/13/20 to reflect the fact that the Washington Post story mentioned below relied on disclosures made by “four U.S. officials” and that USCYBERCOM declined to comment for that story.]