A Trickbot Assault Shows US Military Hackers' Growing Reach

Despite the operation's short-term effects, it sets new precedents for the scope of Cyber Command's mission.
Fort Meade NSA Headquarter
The US military hackers working out of Fort Meade have taken on an aggressive new role.Photograph: BRENDAN SMIALOWSKI/Getty Images

For more than two years, General Paul Nakasone has promised that, under his leadership, United States Cyber Command would "defend forward," finding adversaries and preemptively disrupting their operations. Now that offensive strategy has taken an unexpected form: an operation designed to disable or take down Trickbot, the world's largest botnet, believed to be controlled by Russian cybercriminals. In doing so, Cyber Command set a new, very public, and potentially messy precedent for how US hackers will strike out against foreign actors—even those working as non-state criminals.

Over the past weeks, Cyber Command has carried out a campaign to disrupt the Trickbot gang's million-plus collection of computers hijacked with malware. It hacked the botnet's command-and-control servers to cut off infected machines from Trickbot's owners, and even injected junk data into the collection of passwords and financial details that the hackers had stolen from victim machines, in an attempt to render the information useless. The operations were first reported by The Washington Post and Krebs on Security. By most measures, those tactics—as well as a subsequent effort to disrupt Trickbot by private companies including Microsoft, ESET, Symantec, and Lumen Technologies—have had little effect on Trickbot's long-term operations. Security researchers say the botnet, which hackers have used to plant ransomware in countless victim networks, including hospitals and medical research facilities, has already recovered.

But even despite its limited results, Cyber Command's Trickbot targeting shows the growing reach of US military hackers, say cyberpolicy observers and former officials. And it represents more than one "first," says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. Not only is this the first publicly confirmed case of Cyber Command attacking non-state cybercriminals—albeit ones whose resources have grown to the level that they represent a national security risk—it's actually the first confirmed case in which Cyber Command has attacked another country's hackers to disable them, period.

"It's certainly precedent-setting," says Healey. "It's the first public, obvious operation to stop someone's cyber capability before it could be used against us to cause even greater harm."

Security researchers have observed strange happenings in Trickbot's massive collection of hacked computers for weeks, actions that would only be recently revealed as the work of US Cyber Command. The botnet went largely offline on September 22 when, rather than connect back to command-and-control servers to receive new instructions, computers with Trickbot infections received new configuration files that told them to receive commands instead from an incorrect IP address that cut them off from the botmasters, according to security firm Intel 471. When the hackers recovered from that initial disruption, the same trick was used again just over a week later. Not long after, a group of private tech and security firms led by Microsoft attempted to cut off all connections to Trickbot's US-based command-and-control servers, using court orders to ask Internet service providers to cease routing traffic to them.

But none of those actions have prevented Trickbot from adding new command-and-control servers, rebuilding its infrastructure within days or even hours of the takedown attempts. Researchers at Intel 471 used their own emulations of the Trickbot malware to track commands sent between the command-and-control servers and infected computers, and found that, after each attempt, traffic quickly returned.

"The short answer is, they’re completely back up and running," says one researcher working in a group focused on the tech-industry takedown efforts, who asked not to be identified. "We knew this wasn’t going to solve the long-term problem. This was more about seeing what could be done via paths x-y-z and seeing the response."

Even so, Cyber Command's involvement in those operations represents a new kind of targeting for Fort Meade's military hackers. In past operations, Cyber Command has knocked out ISIS communications platforms, wiped servers used by the Kremlin-linked disinformation-focused Internet Research Agency, and disrupted systems used by Iran's Revolutionary Guard to track and target ships. (WIRED reported this week that under Nakasone, Cyber Command has carried out at least two other hacking campaigns since the fall of 2019 that have yet to be publicly revealed.) But in contrast to those asymmetric efforts to disable enemy communication and surveillance systems, Cyber Command's Trickbot attack represents its first known "force-on-force" operation, notes Jason Healey—a cyberattack meant to disable the means for an enemy cyberattack.

Despite failing to disrupt Trickbot for long, Cyber Command's first known attempt at that tactic may have been a success, argues Bobby Chesney, a national-security-focused law professor at the University of Texas. He sees the operation as a prime example of Nakasone's doctrine of "persistent engagement," creating constant disruptions for the enemy designed to deter them or impose costs that weaken their ability to attack.

"There's lots of ways in which it makes great sense to put the Trickbot operators through their paces repeatedly," says Chesney, "both to cause a little bit of rolling blackouts for them and to impose what Cybercom in other contexts has described as one of their goals, which is just to increase friction for adversaries and to make life harder, make them spend their resources on things other than causing trouble directly."

But others aren't so sure that Cyber Command is the right arm of the US government to be carrying out attacks on global cybercrime organizations. J. Michael Daniel, the cybersecurity coordinator for the Obama White House, argues that setting a precedent that military hackers can be used to disrupt cybercriminals presents potential unintended consequences that deserve to be debated. "There are reasons why we don’t use the military to do policing functions. The military’s job in the physical world is to kill and destroy," says Daniel. "The function of the military is not to arrest people or bring them into a system where we use the rule of law to decide if someone’s committed a crime. It's to coerce people to do what we want them to do. It’s a very different way of looking at the world. You need to think very carefully about whether those tools are the appropriate one for the mission."

Daniel points out that if other countries were to carry out similar operations, they might well target compromised systems in the US, with potential collateral damage. "All of these systems reside in someone's territory," Daniel says. "Are we going to be as excited when the Brazilian military carries out some of these operations, or the Indian military, and they come into US territory?"

But Columbia's Jason Healey argues that whether Cyber Command's role was warranted depends on exactly what intelligence led to the strike. Both Cyber Command's Nakasone and Microsoft have made public statements hinting that Trickbot represents a threat to the upcoming elections, perhaps that it even could be coopted by the Kremlin to disrupt election systems. Russian intelligence services have commandeered cybercriminal botnets before, and Trickbot has been rented out to North Korean state hackers in the past. If Cyber Command is working to prevent or preempt a state-sponsored attack, that significantly changes the precedent it's setting.

"If this is a general-purpose tool rather than 'in case of emergency, break glass,' then it's definitely Pandora's box," says Healey. "But if as a matter of public policy we say, 'We're getting closer to an election, this is a really widespread botnet, and it could be repurposed for Russia because we know that's what they do. And so that's where we're going to use our firepower, for things like that,' boy, that makes a lot of sense."

Trickbot, meanwhile, remains as alive as ever. The botnet is highly resilient, says Intel 471 CEO Mark Arena, due to tricks like using the anonymity software Tor to hide its command-and-control servers and exploiting the decentralized domain name system EmerDNS to register a backup server on a domain that can move to a different IP address in case of a takedown. As tough as it may be to disable the botnet long term, Arena says he welcomes Cyber Command to keep trying.

"This is one of the top-tier cyber criminals, and they're very, very good at what they do. And as it stands today, they're protected, out of reach of Western law enforcement. The best approach would be to arrest them. The second-best is to disrupt them," says Arena. "Having the US military going after this sort of criminal group is certainly unique. And I hope we see more of it."


More Great WIRED Stories