RICHMOND, Va. — Only days before the November election, Microsoft turned to a federal judge in Alexandria, arguing a ransomware network run by Russian-speaking cyber criminals posed a growing threat to the integrity of the vote.
The corporation asserted its computer code is illegally used to operate Trickbot ransomware, a virus weaponized to lock electronic networks and make computers inoperable. That is, until a ransom is paid to the hackers.
“Defendants have directed malicious computer code at the computers of individual users located in Virginia and the Eastern District of Virginia,” lawyers for Microsoft wrote in an October 6 federal civil complaint.
“Defendants have attempted to and, in fact, have infected such user's computers with malicious computer code.”
The court this month granted approval for Microsoft to disable Trickbot servers and IP addresses, as the Pentagon’s U.S. Cyber Command launched a parallel action to neutralize the global botnet.
“As of October 18, we’ve worked with partners around the world to eliminate 94% of Trickbot’s critical operational infrastructure,” said Tom Burt, Microsoft’s vice president of customer security & trust.
“Since the initial court order we obtained, we’ve gone back to court and secured subsequent orders to take down the newly activated infrastructure. We will continue to do this between now and Election Day on November 3.”
Related ransomware attacks have already demonstrated capabilities to cripple civic computer networks, as U.S. intelligence officials and cybersecurity experts said the malware threat could be launched at local election systems.
“Let’s say, if you’re a state or local municipality, or somewhere in the U.S. involved with elections,” began Mark Arena, CEO of cyber crime intelligence company Intel 471. “Your compromised computer access could be sold to Russian security services.”
“Trickbot hackers are already selling accesses to cyber criminals, they’re selling access to nation states,” Arena said. “It’s not a far jump to say they’re probably going to give it to the Russian security service or Russian government, if they asked, which they probably are.”
Illustrating the potential damage, a virus related to Trickbot paralyzed Baltimore city computers in 2019, with an estimated cost of $18.2 million for computer repairs and delayed or lost revenue.
The same day of Microsoft’s October 2020 federal court action, George Washington University Hospital said it recovered from a malware attack that targeted its parent company’s computer systems.
“The things that we’re trying to prevent now, are a shutdown of election results,” said Heather Stratford, CEO of cybersecurity firm Stronger International. “You can't wait until the fire is blazing to say, 'Oh, now we need to be ready.’”
In an interview, Virginia’s elections commissioner Christopher E. Piper declined to comment on specific cyber actions launched by foreign actors. Yet he said Virginia is far-better prepared to defend against cyber adversaries than it was four years ago, when Russian hackers searched for vulnerabilities within the state’s election infrastructure.
WUSA9 first reported Virginia was unaware of a 2016 Russian scan of the state’s election websites, an effort U.S. intelligence traced back to the Kremlin’s military spy agency. The action did not breach Virginia’s election system, but Richmond remained unaware of the Russian reconnaissance until the FBI sounded the alarm in August 2016.
“I think that the incredible change in elections since 2016, is the partnership with the state and the federal government,” Piper said. “Now with the feds, we can communicate, figure out what exactly happened, and get ourselves online and ready to go, without missing much of a beat.”
Piper referenced Virginia’s partnership with the Cybersecurity and Infrastructure Security Agency (CISA), a new division of the Department of Homeland Security.
CISA was established after the midterm elections in November 2018, and is tasked with lending the full cybersecurity resources of the federal government to defend the states.
“They're sharing information with us,” Piper began. “We're working together to identify threats and to come up with strategies to thwart off threats, as we talk on a very regular basis.”
“And that's not something that was occurring in 2016.”
Piper also touted changes made by Virginia state legislators, reforms designed to prepare for an attack similar to a Trickbot hack.
If Virginia computer systems or precinct electronic poll books are disabled through malevolent action, leaving lists of registered voters unavailable, poll workers will still be able to process voters.
“The General Assembly passed the requirement that every polling place now has a paper backup of their electronic poll book,” Piper said. “So, in every single polling place, if a poll book were to go down, there's a paper backup to use so that voting can continue on as normal.”
Both Arena and Stratford said their analyses of current disruptions to Trickbot hackers should give voters cause for calm and confidence.
“Microsoft’s action against Trickbot looks like it is having results,” Arena said. “Our first reaction was that the American preemptive assault was primarily targeting U.S. infrastructure of Trickbot.”
“But now we’re seeing the measures to disable Trickbot ransomware has definitely gone global in nature, and Microsoft has been quite successful at that.”
“I believe that we will have a solid, fair, election,” Stratford added. “And there are a lot of people out there making sure that will happen, as we take Trickbot out at the knees.”