Professor Bobby Chesney on Lawfare reports on USCYBERCOM’s tactics with regards to TrickBot, a botnet (network of infected computers) able to deliver targeted functionality, if I understand Chesney’s description properly. I’m interested in the tactics USCYBERCOM’s utilizing:
A week before U.S. officials disclosed to the Washington Post that it had intervened against TrickBot, Brian Krebs had reported that something was afoot, drawing on the work of cyber threat intelligence firm Intel 471.
First, on Sept. 22 and again on Oct. 1, someone had managed to harness the TrickBot control infrastructure in order to issue a revised configuration file to infected machines, providing a new IP address for their C2 server. The idea was straightforward: Cut off the infected machines from the operators’ control by redirecting their C2 pathway to the address 127.0.0.1 (the “localhost” address, which in practical terms redirects software back to the local machine and, thus, functions as a dead end for communications purposes).
Second, Krebs reported that another intelligence firm (Hold Security, which tracks data that TrickBot harvests) had detected a massive increase in the volume of records yielded by TrickBot. The firm concluded that this was not the fruit of TrickBot’s own efforts but, rather, that someone had someone managed to inject a vast flood of apparently bogus records into TrickBot’s system, perhaps burying or obscuring the real records in the process. If nothing else, this move would have created a lot of resource-consuming headaches for TrickBot’s operators as they set about to fix the mess.
Chesney puts a positive spin on the tactics, but these are not the same as a cure, are they? Well, I’ve never worked in this particular field, but – in an anger reflex dating back to the 1980s and 1990s when I had to deal with the distant ancestors of cybercriminals in the BBS world – I’d rather find the geographical location of the criminals in question, and then send someone to translate cyber crime into real world consequences for them.
Given that’s almost certainly impossible, I’ll have to satisfy myself with the thought that TrickBot’s operators are exhausting themselves in keeping their criminal enterprise going. I hope more effective tactics are developed, and I get to hear about them.
