Microsoft's TrickBot lesson

A bad botnet is a hard target. [View in browser]( [Bloomberg]( Hey, It’s Jeff in New York. We finally have some details about a big anti-cybercrime sting. But first... Today’s must-reads: • Analysts are betting that [Netflix’s advertising experiment]( will turn things around • The NFL is trying to [push virtual reality]( into the mainstream • JPMorgan says [client interest in crypto]( has fallen sharply After 2020 election effort, Microsoft shifts focus Having failed to completely demolish a massive cybercriminal network that was poised to disrupt US election technology two years ago, Microsoft Corp. is looking to apply lessons from the experience to help fend off future attacks. In October 2020, [Microsoft announced]( it had disrupted TrickBot, a tool that Russian-speaking thieves used to distribute malware in a way that hackers could have used to create havoc with voting systems on election night. Days before, the [Washington Post reported]( that the Defense Department’s offensive cyber unit had mounted its own operation against TrickBot, aiming to knock the hacking network offline prior to Nov. 3. The moves against TrickBot—a web of more than 2 million hacked computers, known as a botnet, that scammers use to spread ransomware — were meant to spare state and local websites from Russian hackers’ attention while Americans cast their ballots. And while election administrators didn’t report any major incidents en route to Joe Biden’s electoral victory, TrickBot has since recovered, with [the FBI warning]( that it still functions as a key ransomware distribution tool. Microsoft’s experience, reported here for the first time, offers a reminder that the complexity of the cybercriminal tools make them harder to eliminate. With the US midterm elections scheduled for November, the company is shifting the way it treats such threats. “In October of 2020 we got everything down as far as we could because we were worried about them distributing ransomware in advance of the election,” Amy Hogan-Burney, general manager of Microsoft’s digital crimes unit, told me recently. Investigators knew botnets roved the internet, pummeling victims with spam, phishing emails and malware. But they also learned that TrickBot operators controlled a shadow network they could activate if a government agency or company like Microsoft tried to take them down. “Botnet operators have gotten very sophisticated,” said Tom Burt, Microsoft’s vice president for customer security and trust. After all, the gang had infrastructure all over the world, from Afghanistan to Brazil, the company said. “What you have to do when you take down the backup mechanism is be ready to take down everything in one tier as fast as possible,” Hogan-Burney told me. When one internet service provider involved in the effort failed to take down TrickBot’s backup servers in time, hackers were able to regenerate, Hogan-Burney added. Microsoft declined to identify the internet service provider that failed to act in accordance with the coordinated effort, which also involved the US Justice Department, the Financial Services Information Sharing and Analysis Center, the telecommunication company Lumen Technologies Inc. and the security firms Symantec and ESET. “By the time we executed, there were resources we were expecting to have taken down that weren’t taken down because we didn’t have the greatest coordination,” said Burt. “That’s something we’ve improved and will continue to work on.” Standing with clenched fists, Hogan-Burney, of Microsoft’s Digital Crimes Unit, said, “I’m still a little angry.” Microsoft has identified another botnet it plans to disrupt in the coming months with an updated strategy. Rather than moving with a single punch, Burt said, Microsoft intends to try a “multistage effort” that will shutter one section of a botnet at a time, ideally without the hacks realizing it until it’s too late to respond. “What used to be a 24-hour operation where we rip apart their infrastructure and they go dark for awhile, that’s now a project that’s going to take months if not longer to rip down their infrastructure and eliminate their redundancy,” he said. Microsoft has traditionally provided evidence about alleged cybercriminals to US authorities. The company plans to do less of that work, Burt said, because so many alleged hackers escape justice by staying in countries like Russia and China. Instead, the company will continue to remove malicious infrastructure. “We recognize that and we’re prepared to do that,” Burt added. — [Jeff Stone](mailto:jstone183@bloomberg.net) The big story A startup [backed by a billionaire]( Brazilian family is partnering with e-commerce platform Farmers Business Network to offer robots that spray fertilizer and pesticides to US farmers. Solinftec’s robots, which run on solar panels, are autonomous and were designed to apply fertilizer and weed killer only where needed. The company said the technology, already in use in Brazil, can reduce product use by as much as 70%. What else you need to know Apple is hiking [App Store prices]( while global currencies tumble. Republican Sen. Josh Hawley is [pushing the US]( to force a split between TikTok and its parent company. Nasdaq is moving into crypto as a [way to appeal]( to big-money investors. Follow Us More from Bloomberg Dig gadgets or video games? [Sign up for Power On]( to get Apple scoops, consumer tech news and more in your inbox on Sundays. [Sign up for Game On]( to go deep inside the video game business, delivered on Fridays. Why not try both? Like getting this newsletter? [Subscribe to Bloomberg.com]( for unlimited access to trusted, data-driven journalism and subscriber-only insights.​​​​​​​ You received this message because you are subscribed to Bloomberg's Fully Charged newsletter. If a friend forwarded you this message, [sign up here]( to get it in your inbox. [Unsubscribe]( [Bloomberg.com]( [Contact Us]( Bloomberg L.P. 731 Lexington Avenue, New York, NY 10022 [Ads Powered By Liveintent]( [Ad Choices](