Does Trickbot and its million zombie computers pose a threat to the US election?

Trickbot's network controls more than a million computers worldwide.
Trickbot's network controls more than a million computers worldwide. © iStock

Tech giant Microsoft and United States military intelligence are taking on Trickbot, deeming the botnet – one of the world's largest networks of computers controlled remotely by cybercriminals – a threat to the US presidential election.


Trickbot's network has been used to paralyse hospitals, retirement homes, banks and even city governments. Considered one of the largest and most active cybercriminal networks in the world, the group has just weathered an assault by Microsoft and US Cyber Command, the military equivalent of the National Security Agency (NSA).

The stakes are high. Calling Trickbot "one of the world's most infamous botnets and prolific distributors of ransomware", Microsoft described ransomware as "one of the largest threats to the upcoming elections", explaining in a statement on Monday that "adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing on those systems at a prescribed hour optimised to sow chaos and distrust".

Microsoft, which maintains a unit to fight cybersecurity threats, was authorised by a judge to neutralise a segment of the servers that the cybercriminals use to coordinate their hacking network, the Washington Post reported on Tuesday.

More than a million computers under cybercriminal control

It deals a blow to "a key player on the cybercriminal landscape", Jean-Ian Boutin, who heads threat research at ESET, one of the cybersecurity firms that has partnered with Microsoft, told FRANCE 24.

Initially, Trickbot was simply "malevolent software developed in 2016 and specialised in financial crime", said Vincent Nguyen, who leads the security threat response and cyber crisis management unit at Wavestone, a consulting firm. From its origins as a tool for stealing bank account access codes, it grew to become a gigantic botnet.

It is the ultimate of those nefarious networks: Trickbot controls more than one million "zombie" computers – the term used to designate PCs controlled from a distance – around the world. That makes it "one of the largest botnets in operation", Nguyen said. That global firepower is then rented out to groups of cybercriminals that can make use of it for their own wrongdoing. Having a million computers to hand makes it possible to launch massive spam campaigns or lead denial of service (DoS) attacks, flooding machines with requests in order to saturate and disable a server, that are difficult to counteract.

Trickbot has also been used to spread ransomware, viruses that block access to a computer's files until the assailant can extricate a payoff. Indeed, it is that usage that has garnered the most media attention. The Trickbot network was at the core of the first ransomware attack with deadly consequences: In late September, ransomware blocked access to the computer system of a German hospital; administratively overrun, the facility had to turn away some patients. One died as a result of not receiving necessary care in time.

In the United States, cybercriminals have used the vast network of computers controlled by Trickbot to take a server hostage, virtually speaking, that managed computer systems for 11 retirement homes in the middle of the Covid-19 pandemic, Microsoft noted.

The spectre of Russia

Trickbot's notoriety has been cause for concern at US Cyber Command and Microsoft as the November 3 election approaches. "One must think of Trickbot as a key that enables cybercriminals to enter a computer system to hack it," Boutin told FRANCE 24.

The worst-case scenario for the November 3 vote would be for a computer controlled by Trickbot's network to be connected to the computer system of a polling place or a server that contains voter files. Hackers could then use the computer to reach the targeted server and to block it with ransomware.

That could mean that "the systems that manage electoral data could be compromised, blocked by ransomware, which could hinder the counting of votes", Nguyen said.

An incident of that kind would add grist to the mill of the incumbent. Donald Trump doesn't let an opportunity go by to suggest that the upcoming election might be "the most rigged election in history".

The threat is taken all the more seriously as Microsoft and US Cyber Command have said that Trickbot is managed by "Russian-language" cybercriminals. They have not established a direct link with the Kremlin, but in the context of a resurgence of Russian propaganda as the vote approaches, there is a real risk.

“We don’t know if this is Russian intelligence,” Microsoft's Tom Burt, who is overseeing the unit dismantling Trickbot, told the New York Times. “But what we know is, TrickBot is by volume the key distribution pipeline for ransomware and that it would be really easy for state actors to contract with TrickBot to distribute ransomware with the goal of hacking election systems," Burt said. "That risk is real particularly given that so much of the ransomware is targeting municipalities,” he added.

Microsoft even planned its operation around the November election. Trickbot could have been targeted as early as April, but the tech giant chose to wait until October in order to give the cybercriminals the least time possible to rebuild their empire.

Indeed, the operation has not spelled the death of Trickbot. "A network like that cannot be destroyed overnight and we can see that there is still some activity, even though there is less of it," Boutin said. In other words, not all of the servers controlling computers remotely could be neutralised. The big question is how many PCs are still under the thumb of these cybercriminals, what can they do with them and, above all, whether Trickbot will have time to recuperate by November 3.

This article has been translated from the original in French.

Daily newsletterReceive essential international news every morning