Last fall, on the eve of the elections, the U.S. Department of Defense tried to throttle a transnational cybercrime group. But the hackers have rebuilt much of their operations. It’s become clear in recent months that the gang is very much alive and well.
The Russian-speaking hacking group, sometimes referred to by the name of the malware it uses, Trickbot, has gone after millions of victims around the globe, stealing victims’ banking credentials and facilitating ransomware attacks that have left businesses scrambling to pay hefty extortion demands for years.
And now, even though the Pentagon’s U.S. Cyber Command tried to put a dent in the gang’s operations last year, there are signs the hacking gang is working behind the scenes, quietly updating its malware to monitor victims and gather intelligence. That’s according to the latest intelligence from Romania-based cybersecurity firm Bitdefender, which shared its findings exclusively with The Daily Beast.
Cyber Command went after Trickbot in advance of Election Day last year to prevent any disruptions to the 2020 presidential elections.
But in recent weeks the hackers have been updating a specific part of their operations, namely a tool that helps them remotely control victims’ computers called a VNC module, Bitdefender found. And the hackers already appear to be leveraging their new tool to plot their next attack, says Bogdan Botezatu, Bitdefender’s director of threat research and reporting.
”We’re talking about a massive operation,” Botezatu said, noting that his team set up a system mimicking a victim, known as a honeypot, and that Trickbot has already gone after it. “The administrators were doing reconnaissance… They will decide later what they can capitalize on depending on how much information is on the device or whether it’s part of a business environment or not.”
The hackers also appear to be working on infrastructure that could allow them to sell access to other attackers, according to Vikram Thakur, a technical director at the security firm Symantec, which has previously run efforts to disrupt Trickbot.
“If someone unsuspecting opens up a bad file from Trickbot… without the end user knowing it the bad guys could be watching and even controlling the victim’s computer,” Thakur, whose team reviewed Bitdefender’s findings, told The Daily Beast. “And here the bad guys are creating a robust way to do it where they could gain control [of] your computer and even resell it to others who’d like to steal from it.”
Cyber Command isn’t the only group of hackers that tried to tackle Trickbot last year. Microsoft and a series of other security firms also seized Trickbot’s U.S. servers to try to stand in the way of the organization’s hacking campaigns.
But the continued resurgence of the hacking gang since then isn’t a sign of a failed operation, says Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit. Microsoft’s goal at the time was to prevent any Trickbot-linked hacking from affecting the 2020 presidential election. And the efforts to blunt Trickbot appeared to garner some results right away: Microsoft was able to disable 94 percent of the gang’s infrastructure.
“We were very clear back in October of 2020 that our primary goal was to make sure that enough of their infrastructure was down so that we didn’t have to worry about them disrupting the election,” Hogan-Burney told The Daily Beast. “The operation that we did last October was absolutely a success.”
Botezatu noted that the hackers have been showing signs they expect to get interrupted, and have been building in backup mechanisms into their infrastructure so they can withstand many blows.
“Trickbot is still one of the largest botnets to date,” Botezatu said. “I wouldn’t have expected them to quit so fast.”
As Trickbot has resurged, Hogan-Burney’s team has started to think of taking down the gang as an ongoing task that doesn’t appear to have an end in sight, as opposed to a “one and done” elimination campaign.
“We knew it wasn’t going to be easy…[we] just see it as a continuing challenge,” Hogan-Burney told The Daily Beast.
In recent months Hogan-Burney and her team have been trying to shift the offensive into a ground game—in one case, Microsoft worked with internet service providers (ISPs) to go door to door in Brazil and Latin America to replace customers’ routers that were compromised, one by one.
Although the hacking gang primarily operates out of Russia, Belarus, Ukraine, and Suriname, according to the U.S. Department of Justice, Hogan-Burney said since October Microsoft has been sending cease and desist notices all around the globe. In one case Microsoft has successfully taken down Trickbot infrastructure in Afghanistan, Hogan-Burney said.
Some efforts to track down and chip away at Trickbot are not going well, Hogan-Burney admitted.
“There’s that geopolitical aspect to this too, that makes it seem a little bit more difficult. It’s far more daunting where you have jurisdictions that seem to be harboring cybercriminals,” Hogan-Burney told The Daily Beast. “You want to be able to arrest people and bring them to justice and that part is proving to be more difficult.”
The news that the transnational cybercrime group is still bolstering its attack techniques and plotting its next moves behind the scenes comes as the federal government is trying to deliver blows to the hacking group from all sides—a woman was recently arraigned in federal court in Ohio for her alleged role in helping Trickbot run ransomware attacks.
The Biden administration has been working to hold Russia accountable for giving safe harbor to ransomware criminals within its borders in recent days, after a series of Russian-speaking ransomware hackers left a major meat supplier, pipeline company, and thousands of other firms scrambling in recent attacks. President Joe Biden has said he wouldn’t rule out a retaliatory cyberattack against some of the hackers.
But for Trickbot, last year’s offensive effort isn’t sticking, according to ESET, one of the companies that participated in the takedown effort.
“There was a slowdown in their activities around the disruption operations… as they lost control of most of their network infrastructure and were scrambling to rebuild it, but the fact that they are actively developing modules is another illustration that the cyber criminals operating Trickbot are now back in full swing,” Jean-Ian Boutin, the head of threat research at ESET, told The Daily Beast.
The gang has been recasting itself and recruiting, says Alex Holden, the founder and chief information security officer of Hold Security.
“We know that Trickbot is going through a transformation. The gang is recruiting, expanding, and changing its techniques and approaches,” Holden told The Daily Beast.
Holden said he hopes that research like Bitdefender’s pushes Trickbot off-balance and provides law enforcement leads to pursue that blunt the gang’s attacks.
Bitdefender told The Daily Beast they had informed law enforcement of their research. Cyber Command declined to comment on the future of plans to disrupt the Trickbot gang. The FBI did not return a request for comment on the resurgence and about whether the U.S. government is planning any disruptive operations.
But with every attempt to take them down, Trickbot just seems to get stronger, says Jason Meurer, a senior research engineer at cybersecurity firm Cofense.
“Trickbot will always be hard to take down without access to the authors,” Meurer told The Daily Beast. “Every attempt to take them down will cause them to shift tactics and update their defensive measures.”
The future of governments’ and cybersecurity companies’ efforts to cripple Trickbot is not entirely clear, Meurer admitted.
“The hope is that in the long run, they make mistakes while doing this and open up clues to hunt down who is actually behind Trickbot,” Meurer said.
In the meantime, the cybercrime organization’s efforts are likely to keep emerging and re-emerging despite takedowns, as researchers and law enforcement lie in wait for their next misstep, Botezatu said.
”Trickbot: it’s like a phoenix,” Botezatu told The Daily Beast. “It went down and came back to life from its ashes.”