Posted: 4 Min ReadFeature Stories

Symantec Security Summary - October 2020

Trickbot, COVID-19 and Election Security

Trickbot, trapped. The infamous Trickbot botnet, described by many as the world’s largest botnet and the criminal machine behind a myriad of ransomware attacks, has been foiled, at least temporarily, thanks to the work of a U.S. military operation and more recently, a court order.

Both maneuvers were designed to deflate Trickbot before the U.S. election so it couldn’t be a vector for interference in 2020 voting. The Krebs on Security newsletter had first reported that someone had been launching a series of coordinated attacks to disrupt Trickbot, which is described as an army of millions of hijacked Windows computers under the control of Russian-speaking criminals, used to steal financial data and to serve as an entry point for pushing out malware throughout compromised organizations.

In what appeared to be a well-orchestrated strike, Krebs reported that Trickbot-infected systems received a bogus configuration file, typically used to pass on new instructions on where to direct victims to download new malware updates. In addition, millions of phony records about new victims were pumped into the mix in an attempt to overload the botnet and disrupt its operations. Follow-on reporting placed responsibility for that coordinated attack on U.S. Cyber Command as part of a concerted campaign to temporarily disrupt the Trickbot botnet.

A global partnership of security, software, telecommunications and financial services firms, including Symantec, a division of Broadcom, collaborated to obtain a federal court order to disable IP addresses associated with Trickbot servers.

  • Several days later, an initiative was underway to defang Trickbot’s ability to impact election infrastructure. A global partnership of security, software, telecommunications and financial services firms, including Symantec, a division of Broadcom (NASDAQ: AVGO), collaborated to obtain a federal court order to disable IP addresses associated with Trickbot servers. The group, led by Microsoft and the Financial Services Information Sharing and Analysis Center (FS-ISAC) also worked with a host of global telecom providers to shut down the network.

Through their actions, the collaborators sought to disable the botnet’s command and control servers and to block their ability to lease or buy new servers, which in turn would compromise Trickbot’s ability to rebuild its zombie army before the election. While experts didn't anticipate the botnet would alter votes, they were concerned about the potential to fuel confusion or inflame distrust in voting systems, which was a hotbed issue in the run up to the November election.

* * * 

There was other cyber security-related activity as the election drew near. Following a tip from the FBI, Twitter identified and removed 130 Iranian Twitter accounts that were attempting to disrupt conversations during the first presidential debate in late September. In a statement, Twitter said it identified the accounts quickly, removed them from the platform, and shared full details with peers. It said it also planned to publish the removed accounts and content once its investigation was complete to provide greater transparency.

Russian influence also remains a threat being closely monitored. In its October Homeland Threat Assessment, the U.S. Department of Homeland Security warned that numerous nation state actors were potential threats to election security, including China and Iran, but called out Russian attackers as the most disruptive threat. “We assess that Moscow’s primary objective is to increase its global standing and influence by weakening America—domestically and abroad—through efforts to sow discord, distract, shape public sentiment, and undermine trust in Western democratic institutions and processes,” the warning stated. It specifically cited Russian activity to employ social media influence campaigns and media manipulation to inflame social and racial tensions as well as propagating misinformation to incite panic or provoke animosity.

* * *

The quick shift to work-from-home due to the COVID-19 pandemic has also fueled a rise in cyber security events. Arctic Wolf found that the number of corporate credentials with plaintext passwords available on the dark web has surged by 429 percent since March, paving the way for a host of security issues. Ransomware and phishing attempts have increased by almost two-thirds in this year’s second quarter, Artic Wolf found, bolstered by a wave of COVID-19-related phishing incidents. Work-from-home has also contributed to a 243 percent spike in devices connected to open and unsecured Wi-Fi networks, Artic Wolf’s report found.

With more than half (56%) of security professionals experiencing a rise in cyber security threats since the start of the pandemic and 70% admitting that cyber criminals are pursuing new tactics, according to research from Cloarty, what explains the relative inertia to address the issue? The survey found only one-fifth of organizations have made cyber security a priority during these pressing times—a decision likely to have negative consequences down the line.


Symantec Enterprise Blogs
You might also enjoy
Threat Intelligence6 Min Read

Trickbot: U.S. Court Order Hits Botnet’s Infrastructure

Symantec assists in cross-industry initiative to disrupt virulent botnet tied to ransomware spread, banking credential theft, and other campaigns.

Symantec Enterprise Blogs
You might also enjoy
Feature Stories4 Min Read

Symantec Security Summary – September 2020

Protecting the vote and more security news

About the Author

Beth Stackpole


Beth is a veteran journalist covering the intersection of business & technology for more than 20 years. She's written for most of the leading IT industry publications and web sites as well as produced custom content for a range of leading technology providers.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.