What connection, if any, TrickBot’s operators share with the Kremlin remains an open question. But the acceleration of ransomware attacks on American municipalities and government agencies has led U.S. officials and executives at Microsoft to fear that ransomware attacks will be used to lock up election systems in November, either on direct orders from a state eager to undermine American democracy or by cybercriminals who figure the urgency around the election would increase pressure on victims to pay.
In interviews late last week, when the court orders enabling Microsoft to act were still under seal, executives at the company and other firms said they had carefully timed their operations to put Russian cybercriminals on their heels weeks before the election, hoping to disrupt anything they, or the Kremlin, had planned.
“These TrickBot operators are the best,” said Eric Chien, a leading researcher at Symantec who was one of the first to identify Stuxnet, the code written by the United States and Israel to attack Iran’s nuclear centrifuges a decade ago. “If these tools were used in the election, in hindsight people would feel very bad. We’d ask, ‘Why did we wait?’”
Cyber Command appears to have asked the same question. While the command never discusses its operations, at least in advance, its commander, Gen. Paul M. Nakasone, and his senior adviser, Michael Sulmeyer, wrote in Foreign Affairs in August that “we realized that Cyber Command needs to do more than prepare for a crisis in the future; it must compete with adversaries today.”
According to Intel 471, a security firm, there were two attacks on the TrickBot infrastructure before Microsoft received court authorization a week ago to begin its operations. The blog Krebs on Security reported the attacks.
Those two attacks, on Sept. 22 and Oct. 1, apparently conducted by Cyber Command, infiltrated TrickBot’s command and control servers and temporarily cut off cybercriminals’ access to thousands of infected PCs that have been used as a primary conduit for global ransomware attacks.
Last week several officials said the attacks appeared to be the work of Cyber Command, and The Washington Post reported the same on Friday. But experts say it is unclear if any of these operations will put the hackers behind TrickBot out of business permanently.