Microsoft has obtained a court order to seize servers the company says are part of the Trickbot botnet ahead of the 2020 elections, the Washington Post reported on Monday.
Microsoft vice president of customer security and trust Tom Burt told the Post the botnet poses a “theoretical but real” threat to election security, as it is known to be run by Russian-speaking criminals and could be used to launch ransomware attacks. Ransomware is a type of malware that hijacks computer networks, and typically holds the data hostage in exchange for some kind of payment—although attackers could just forego the ransom element and permanently lock users out of their own computers. While a ransomware attack on voting machines, election officials, or political campaigns would be unprecedented, gangs of cybercriminals have targeted municipal and state governments, as well as large institutions like hospitals in recent years.
Microsoft wrote in a blog post that observing computers infected by Trickbot allowed it to determine how the compromised devices talked to each other, and attempted to obfuscate those communications. This analysis also netted the company to identify the IP addresses of the command and control servers which distribute and direct Trickbot.
On Monday, the company obtained a restraining order against eight U.S. service providers, citing Trickbot infringement of Microsoft trademarks. That in turn allowed it to take those IP addresses offline, rendering the estimated 1 million Trickbot-infected devices useless and irrecoverable to those running the botnet. Per the blog post:
As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval