For more than two years, General Paul Nakasone has promised that, under his leadership, United States Cyber Command would “defend forward,” finding adversaries and preemptively disrupting their operations. Now that offensive strategy has taken an unexpected form: an operation designed to disable or take down Trickbot, the world’s largest botnet, believed to be controlled by Russian cybercriminals. In doing so, Cyber Command set a new, very public, and potentially messy precedent for how US hackers will strike out against foreign actors—even those working as non-state criminals.
Over the past weeks, Cyber Command has carried out a campaign to disrupt the Trickbot gang’s million-plus collection of computers hijacked with malware. It hacked the botnet’s command-and-control servers to cut off infected machines from Trickbot’s owners, and even injected junk data into the collection of passwords and financial details that the hackers had stolen from victim machines, in an attempt to render the information useless. The operations were first reported by The Washington Post and Krebs on Security. By most measures, those tactics—as well as a subsequent effort to disrupt Trickbot by private companies including Microsoft, ESET, Symantec, and Lumen Technologies—have had little effect on Trickbot’s long-term operations. Security researchers say the botnet, which hackers have used to plant ransomware in countless victim networks, including hospitals and medical research facilities, has already recovered.
But even despite its limited results, Cyber Command’s Trickbot targeting shows the growing reach of US military hackers, say cyberpolicy observers and former officials. And it represents more than one “first,” says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. Not only is this the first publicly confirmed case of Cyber Command attacking non-state cybercriminals—albeit ones whose resources have grown to the level that they represent a national security risk—it’s actually the first confirmed case in which Cyber Command has attacked another country’s hackers to disable them, period.
“It’s certainly precedent-setting,” says Healey. “It’s the first public, obvious operation to stop someone’s cyber capability before it could be used against us to cause even greater harm.”
Security researchers have observed strange happenings in Trickbot’s massive collection of hacked computers for weeks, actions that would only be recently revealed as the work of US Cyber Command. The botnet went largely offline on September 22 when, rather than connect back to command-and-control servers to receive new instructions, computers with Trickbot infections received new configuration files that told them to receive commands instead from an incorrect IP address that cut them off from the botmasters, according to security firm Intel 471. When the hackers recovered from that initial disruption, the same trick was used again just over a week later. Not long after, a group of private tech and security firms led by Microsoft attempted to cut off all connections to Trickbot’s US-based command-and-control servers, using court orders to ask Internet service providers to cease routing traffic to them.
But none of those actions have prevented Trickbot from adding new command-and-control servers, rebuilding its infrastructure within days or even hours of the takedown attempts. Researchers at Intel 471 used their own emulations of the Trickbot malware to track commands sent between the command-and-control servers and infected computers, and found that, after each attempt, traffic quickly returned.
“The short answer is, they’re completely back up and running,” says one researcher working in a group focused on the tech-industry takedown efforts, who asked not to be identified. “We knew this wasn’t going to solve the long-term problem. This was more about seeing what could be done via paths x-y-z and seeing the response.”
Even so, Cyber Command’s involvement in those operations represents a new kind of targeting for Fort Meade’s military hackers. In past operations, Cyber Command has knocked out ISIS communications platforms, wiped servers used by the Kremlin-linked disinformation-focused Internet Research Agency, and disrupted systems used by Iran’s Revolutionary Guard to track and target ships. (WIRED reported this week that under Nakasone, Cyber Command has carried out at least two other hacking campaigns since the fall of 2019 that have yet to be publicly revealed.) But in contrast to those asymmetric efforts to disable enemy communication and surveillance systems, Cyber Command’s Trickbot attack represents its first known “force-on-force” operation, notes Jason Healey—a cyberattack meant to disable the means for an enemy cyberattack.