Hacked - Force on Force
Episode Date: October 27, 2020Jordan Bloemen & Scott Francis Winder discuss the attack on Trickbot. If you like the show and want to make sure we can keep making it, please subscribe and if you can visit https://www.patreon.com/h...ackedpodcast and show us some love. Also - don't forget to check out our loving sponsor Proton VPN. Visit protonVPN.com/hackedpodcast for 33% off a 2-year plan. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
HTTPS, colon, forward slash, forward slash, 127.
0, 0.
Imagine an army.
More like a squadron of an army.
Now these guys, this squadron, they're running riot on enemy terrain.
Every day they're getting a new radio command telling them to take this city
or raid this armament or storm this fort,
and these guys are ruthless.
They wake up, they get their radio,
command, they do the job and they repeat. They don't know where they'll be tomorrow, only what they've
got to do today. And let's say one morning, they get that radio command. And it says,
before I give you your instructions, you're to change radio frequencies. The new channel,
127-0-0. They switch over their radios, and a minute later, the voice comes back and gives them
their new command. Stand by.
So for one whole day, the feared band of men sits and waits.
They let their heart rate drop a little.
They enjoy the balmy weather and a nice warm night.
The next day, they wake up, they tune into the radio, and the commands don't come.
They wait and they wait until one of the men finally asks if they should check the old frequency.
And when they do, when they turn their radios back to their own.
original bandwidth, the one that had been sending them on a reign of terror across the land,
they find the normal voice giving the same old command, asking where the heck they have been,
why they changed frequencies, what was going on?
Turns out the squadron had been duped.
Someone had found their way onto their frequency and tricked them into changing channels to
the wrong bandwidth. And sure, it didn't really last that long.
It was a lot of work for one day of calm, but there's still two important lessons to be learned here.
First, a day of calm means that maybe some people who would have bumped into that ruthless squadron didn't.
But second, and this is really the big one, that squadron learned that someone knows how to get onto their radios,
which means that they can't really trust a damn thing that comes out of them,
bringing us nicely all the way back around to one, two,
On September 222,
0.201.
On September 22nd,
millions of Windows computers
that are infected with
and a part of
the Trickbot Botnet
received a simple instruction.
Your control server
has a new address.
That address?
127-001.
For some interesting
but complicated reasons,
it's impossible
for those servers to reach that address.
So, they stood by.
Someone had hopped on
and intentionally told everyone to report to this new address,
to tune into this different radio frequency,
to just stand by and enjoy the balmy weather.
This isn't a story where we explain botnets.
We've done that a lot and enough.
This isn't even a story about Trickbot,
though we are going to start there.
This is about who tuned in and gave that fake address,
127-001.
because who they are
and the fight that they're fighting
that's something kind of new
this is force on force
here on hacked
we're going to come dangerously close
to breaking a promise in this episode
I don't make any promises
that I don't keep Jordan
well you're going to come real close to explaining
what a botnet is
I think I've done that like nine times
so maybe we could just pull us now
out of a previous episode?
I think we can rely on people
knowing what a botnet is in this episode.
You all know what a botnet is.
You all know what a botnet is.
Let's move forward assuming
that you know what a botnet is.
Just pause this episode and go back in time.
Look at some of the previous episodes
that have botnet in the title.
So this is a story about Trickbot.
And an important thing to know about Trickbot
is that Trickbot is a botnet for hire.
Scott, what is a botnet for hire?
Well, it's a botnet, which I'm
not going to explain what it is, that you pay money to access and leverage.
Right. So someone controls all of these different computers and then someone comes to them and says,
I've got some money, I want you to deploy something to those devices. You just came dangerously
close to defining what a botnet is. Right up to the edge. I stared into the abyss and it stared
back. Yes. You approach somebody and say, hey, you control all these computers via your botnet.
And I would like to leverage that botnet. How much would you charge me per thousand
PCs or whatever the going rate that they're bartering on is.
Since 2016, the operators of TrickBot have provided customers access to an army of infected
machines, giving them a one-stop shop delivery mechanism for really whatever kind of malware
they wanted to deliver in the first place, including, and importantly for this story,
ransomware.
This army of machines includes both end-user computers and Internet of Things devices, you know,
which has extended trickbots reach into households and larger brick-and-mortar organizations.
In this, trick-bot is a pretty normal, if not really large bot net.
But if we look at its behavior over the four years that it's been operating,
two really interesting things about trick-bought pop-up.
There's what people have hired to do with it,
and there's how the operators keep expanding it,
how they keep capturing more machines.
In terms of the latter, in terms of expanding trick-pot,
But obviously it starts with fishing.
The toolbox for hacking really just includes fishing these days.
So if you're good at fishing, you can pretty much do whatever you want.
Steal Bitcoin, take over a computer, shut down the Israeli government, whatever.
Just if you know how to fish, it's all you teach a man to fish.
He eats for a...
Sorry, give a man a fish, he eats.
For a day, teach a man to fish.
He steals Bitcoin for life.
If you were doing it in the last six months, so you were trying, you're going fishing.
Yep, going fishing.
What kind of social engineering tactics would you use?
What kind of lures would you be putting out there in the world?
I think anything contemporary, you know, playing on people's emotions.
Same as marketing.
You know, Jordan and I work in marketing, which we've discussed before.
And, you know, hope and fear are the two main emotions that drive people's decisions.
So I would play off of hope and fear.
You know, you see that in fishing attacks all the time.
You know, you won something.
You know, the classic phone scam of, hey, you want a free cruise, you know, click one to receive.
your prize, the next thing you know, you're giving your visa numbers to somebody,
then number two would be, you know, you're dying, somebody's dead, something's hurt, whatever,
play off of the fear.
And so those, I think, would be the two ways that I would go.
And that's exactly the way Trickpot is gone.
Imagine you're the operators of Trickpot and you're trying to capture more machines
using spam and spearfishing attacks.
Seven or so months ago, you were given the single best lure a spearfisherman,
could ever hope for. Of course, one of the key issues tomorrow night is expected to be the coronavirus.
As our nation climbs higher into a third surge of COVID cases.
What will a COVID-19 vaccine be ready in the UK?
For the last six months, the most popular lure used in fishing attacks to spread trick-bought, COVID-19.
Sure, hope and fear, yeah.
Leverage, leverage brand.
Like, this is just marketing.
These people are just good at marketing.
Look at whatever outbrain, which is one of those, like, you know, crappy link
companies that you go to a news site,
next thing you know, there's like five
outbrain articles linked off of it being like
how to be a
better ally in the BLM
struggles. And it's like, you know, whatever's
contemporary things they're selling, you could probably
just clone those and sell those.
This actor from this sitcom from the
90s, you won't believe what
they look like now. Just click on the next
hundred pages of this website.
We will eventually maybe show you a photo.
It's always the like 30
fifth thing in a listicle.
But you can't jump into the list.
You have to go page by page and see
600 ads per page.
He used to be able to go up to the top
in the domain thing and find the number
of the page and just type in
a late number and hope that that wasn't
crushing past the end of the listicle.
Do you ever do that?
Man, you were a hacker, Jordan.
I do have a show about it.
And then there's what people have been using
TrickBot for. When we look at a
broad breakdown of documented instances of TrickBot being deployed since it first bubbled up in
2016. Well, we see a lot of banks. Essentially, a typical case for TrickBot sees the malware spying on
the infected machine to gain access to banking, tax, and email user credentials. The reasons for that
are obvious. Email is useful for two-factor authentication and spreading the malware further
via an addition called Trick Booster,
which hijacks the victim's email to spam their contacts,
spreading TrickBot onto more machines.
But a few years ago,
everyone realized all at once that between SMS,
biometric, and really any form of two-factor authentication,
stealing banking information
become a really colossally difficult way to make money,
and a lot of people just switched over to ransomware
because it's less time-consuming.
Totally. If you control someone's computer
and you can routinely ransomware attack them
and they routinely and consistently pay, then why not?
As the general hacking community switched to ransomware,
so too did TrickBot's users,
which is all to say that the answer to the question,
what is TrickBot used for and how does it spread,
is really whatever its user base wants to use it for,
which is sort of unsatisfying
until you start to think of TrickBot more like a platform.
It's like asking,
what do people use an OS for?
The answer is whatever they want.
Trickbot is a tool, and tools have many, many uses.
This is the part in the story when it's useful to stop picturing a trickbot victim as an individual user.
And start imagining something a little bit bigger.
Kind of like an institution.
Let's start with a hospital.
Why would it be useful to infect a hospital with trickbot?
Sure.
Yeah, well, you know, yeah.
Yeah, lock down the family photos.
It might be worth 500 bucks or a thousand.
You lock down, you know, the digital medical records for a country.
You know, what's that worth?
What's the cost associated with redoing them?
Hundreds of millions?
On October 12th of this year, Microsoft put out a press release.
The release announced that they, along with a consortium of other infosec companies,
had launched an attack.
an attack on TrickBot.
Makes sense.
Why does that make sense?
It's attacking their computers.
They're running Windows operating system.
Windows is the vulnerable target for TrickBot.
It makes sense that Windows and Microsoft
and the programmers at Windows
would have a better understanding of things they can do
inside the operating system to bar it, block it,
disable it, control it, etc.
I want to go back to that Army metaphor.
The army facing down our rogue squadron.
The army facing down Trickbot would seem at first blush to be led by Microsoft.
And if you stopped reading the news coverage up until that very specific point,
you'd be left rightfully thinking that was the case.
That October 12th document I cited earlier was an announcement
that Microsoft had taken action after the United States District Court for the Eastern District of Virginia
granted their request for a court order to halt TrickBot.
And this is where that first.
false radio signal that made-up IP address come in.
Here's an important and I think interesting quote from Microsoft.
It's a little long, but quote,
During the investigation that underpinned our case,
we were able to identify operational details,
including the infrastructure Trickbot used to communicate with
and control victim computers,
the way infected computers talk to each other,
and TrickBot's mechanisms to evade detection and attempts to disrupt its operations.
As we observed the,
infected computers, connected to and receiving instructions from command and control servers,
we were able to identify the precise IP addresses of those servers. With this evidence,
the court granted approval for Microsoft and our partners to disable the IP addresses,
render the content stored on the command and control servers inaccessible,
suspend all services to the BondNet operators, and block any effort by the TrickBot operators
to purchase or lease additional servers.
sounds comprehensive.
Sounds like they took TrickBot down.
Before we get to whether or not that's actually the case,
I wanted to know why.
Beyond just altruism, beyond the fact that most of these infected machines are Windows machines,
and that's bad for Microsoft's bottom line,
why did the government give them the authority to lead this attack on TrickBot servers in the U.S.?
Right now, with everything going on in the world?
world. The answer? Elections. Right after this break. Think about the last time you heard a
breach story on this show. It always starts the same way. Someone somewhere saw something too late,
an alert buried, a signal missed, an SOC that just couldn't keep up. Arctic Wolf set out to
solve that problem by rebuilding security operations from the ground up for a world where
attackers are already using AI. They created the Aurora superintelligence platform, a fully
agentic system powered by the swarm of experts. Instead of single-purpose bots or lucky-guess
LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything
trustworthy, and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week,
And over a decade of real-world incident response.
The system reasons on real signals and real context, not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent-led-by-design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic.
Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every
AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy
and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually
looks like, go to arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th.
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded,
and most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights in how threat actors are evolving,
how defenders are responding, and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Imagine you want to mess with an election.
Maybe not the results, but trust in the results.
Say you wanted to sow doubt.
The actual systems that count ballots are some of the most locked down and secure in the world.
But what about the systems that are used to report those votes?
What about voter registration sites?
Imagine the doubt and chaos that you could sow if on election day,
you could press a button and lock down or lock out people from accessing those machines.
You know, if you've got essentially control of a massive amount of computers,
you could roll out, you know, essentially malware that was projecting incorrect polling locations,
incorrect election dates.
There's literally nothing you really can't do with good malware.
So if you were building one targeted specifically to,
to election-related information,
you could probably, if you really wanted to get into it,
like inject all kinds of nasty misinformation
into places where it's not supposed to be.
You could probably slot things into people's calendars
that are incorrect.
There'd be an unlimited amount of ways
for you to kind of play with people's lives.
Trickbot has already been deployed
against large institutions.
It's been used against major health care providers
like Universal Health Services,
whose systems it crippled by deploying the ransomware re-uk.
The attack forced staff to restart manual systems and paper records
across a system that runs more than 400 facilities across the United States in Britain.
Some patients reportedly were re-rooted to other emergency rooms entirely
and experienced pretty long delays in getting test results.
Let's imagine that exact same tactic I just outlined, applied to an election.
Let's imagine that on election day, you had the ability to those really important computers,
the ones used for registration reporting, to just press a button and have that computer go,
oh, ransomware, we've locked down your hard drive, you can't use this device anymore.
That device locked down in that moment, I feel like that could create incredible chaos.
Well, I think not only, yes, first and foremost, yes, that would create incredible chaos.
but if you had a lot of the computer systems that were doing votelling and tracking and stuff like that under full control,
you could then also probably manipulate the results of the election,
which would be a major, major way to forecast out.
So a fair question.
Certainly a question I'd be asking if I was listening to this.
TrickBot's been kicking around since 2016, operated by,
if not explicitly the Russian state, then certainly a group of hackers who all speak Russian,
running riot through banking, healthcare, and acting as this service for hire for people all over the world
looking to loot and steal data online.
But this year, it becomes patently clear that Trickbot has become so prevalent, so pervasive,
that there's a very real chance it is infecting or targeting computers that the United States
might be relying on for its elections.
And if it hasn't, then there's a decent chance it's been used in a campaign to target those computers.
So, a mission is embarked upon to bring down trick-bought and secure American democracy,
spearheaded by none other than Microsoft.
I am being glib.
Microsoft is a power player in Infosec, and they've worked on large-scale campaigns like this before,
but still, a private company tackling a threat to a threat to a new.
nation's democracy. Not really what you'd expect. Bringing us all the way to Fort Meade, Maryland.
Right into the center of an imposing $500 million concrete and glass facility nestled in a sprawling
complex of other $500 million concrete and glass facilities. Right into the heart of the American
military. Right into the heart of Cyber Command. The newest U.S. military
Command is responsible not for a piece of land or air, but cyberspace.
Special correspondent Mike Surrey has this exclusive inside view of the men and women protecting
the military's digital networks at the United States Cyber Command.
Cyber Command.
Formed in 2009 and elevated to a full and independent command in 2017, Cyber Command is the
cyberspace operation of the Department of Defense.
and while not initially reported as such, the tip of the spear and the attack against Trickbot.
And suddenly, this weird, confusing story all kind of clicks together.
In the months prior to a contested election with documented foreign interference,
Trickbot is identified as a potential threat,
a potential attack factor through which machines,
essential to the election's operations, could be compromised,
throwing the results of that election into doubt.
So, either in parallel with or as part of a consortium of infoset companies with Microsoft as the public face,
Cyber Command launches an attack to take both infected machines and control servers offline.
And it works.
Congratulations.
Job well done.
Democracy secured.
Until a few days after the seizure of Trickbot's U.S. servers, some stuff.
spam goes out, trying to lure in new machines to join none other than Trickbot.
U.S. Intelligence Group Intel 471 reported that within four days after the attack,
Trickbot was back up and running.
Admiral Mike Rogers commands both the NSA and U.S. Cyber Command.
Today we face threats that have increased in sophistication, magnitude, intensity, volume, and velocity.
So here's what happened.
This operation, the one we've been talking about, did take down all of Trickbots' commanded control servers in the United States.
But as of the following Thursday afternoon, 11 servers outside of the country that had been running before this action were still online.
From Jakarta to Indonesia to the Dutch province of Utrecht to Bogota, Trickbot was alive and well, operating all over the world.
General Paul Nicosone, head of cyber command, called this tactic, called this plan,
part of what he calls persistent engagement.
Basic idea being that by constantly engaging your enemy with attacks like this,
you're demanding some of their attention at all times, diminishing their capacity to do harm.
Which is a very glass-half-full way of looking at what happened here.
These cyber teams are drawn from all the services and ranks.
Some were trained by the military.
Others were recruited for their cyber skills.
You know, it's not like fighting a war in another domain
where you deploy troops, you fight, you go home.
Conflict in the cyber domain is constant.
At the results of Cybercom's first official cyber attack
meant to disable the means for an enemy cyber attack,
what's known as a force-on-force attack.
In a way, Cybercom attacking TrickBot is historic.
Actually, no, I want to unpack that a little bit.
But saying it's the first force-on-force attack that the U.S. has ever launched, and we got that
language from a pretty in-depth wired interview with Paul Nacosone.
It's kind of making a distinction without a difference.
Like, I'm sure there's a way to explain how this attack against Trickbott is different than
the attack the U.S. launched in 2012 against Iran, but I can't think of what it is.
So knowing what we know, having seen what we've seen, having experienced the scope of
difficulty of trying to take this kind of thing down.
Is there any way to keep these machines secure?
Is there any way to keep this system safe?
Yeah, well, I think, you know, the classic,
you could always go to the classic, which is air-gapping everything,
essentially just take them off the internet.
So any kind of electoral systems run on private, secured networks
that don't touch the outside world,
which to me makes loads of sense.
I think the moving the hydra, you know, moving the head of the hydra from American servers back to native Russian servers or, you know, wherever they need to be, is fine.
You know, I think there's a lot of control that the governments have over data traffic coming in and out.
So they probably have the ability to filter out a lot of, if they can pinpoint precision, choose, and know the addresses that it's communicating through, they can probably do a lot of work to disable it at the nation level.
which doesn't do anything to the actual hydra itself
besides like cut off an arm,
the American arm of it's missing.
But even then they're probably so smart
that there's other ways to backdoor into them
and teach them and get them to train.
You know, bypassing any kind of control these days
seems pretty easy.
You know, we have technological snooping
and monitoring on our communication devices.
So, you know, I listened to a podcast the other day
about a drug ring out of Colorado called the Syndicate
and they were using some iOS games messenger platform inside of it.
And it's like, you know, nobody's looking for illegal communications there.
So I'm sure these malware bots are not using just dedicated network traffic
and connecting between each other,
but they're using other types of platforms and stuff to communicate.
Is the takeaway then that like, it feels defeatist to say this.
but is the idea that, okay, well, if chaos machines exist,
that we cannot turn off, we cannot disable,
there are too many of them and they're too plentiful,
is the result then that we just need to find better ways
to insulate our institutions from chaos?
Like, it's like, you can't probably turn off the chaos machine at this point.
People can create chaos in other countries' democracies.
That seems to just be a thing that we have to now live with.
I think it's been a thing that we've lived with.
It's just though I think we're a little bit more used to being friends of the people,
people that were doing it rather than having it done too.
And we've seen how just tricky it can be to bounce back from this, for a country to
bounce back from something like this.
It's possible, but it's tough.
All you have to do is, like, if you try and comprehensively understand Venezuela, you
will see that, like, nobody is pure.
And I think that's, you know, what has happened in the meddling that went on in Venezuela,
we're starting to see happening in America.
You know, everything is in doubt because of foreign influence,
which arms both sides of the fight
because everybody is pointing fingers at everyone else,
which then just causes more chaos.
And we've just gotten better at exerting influence.
Yeah, I think everybody's gotten better at exerting influence.
I think we're, as far as, you know, mass social manipulation goes,
I think it's only like a couple hundred-year-old game that we've been playing,
and we're getting new tools and new techs and new mediums and new platforms
and new information to do it with.
We didn't want to do a normal election episode,
and this story is nice in that it kind of sneaks its way around to being about that.
In the four years since our last election special,
the tools that people use to sow distrust in an election have gotten,
if not more powerful than certainly more refined.
And if this story, story of TrickBot, teaches us anything,
as much of a grab bag of a story as it is,
it's that elections and I guess democracies as a whole
are kind of like a currency.
Faith plays a big role.
Once people lose faith, it becomes worth less.
Most of that isn't hacking at social engineering and misinformation,
but I think there are still really important lessons
in the story of the attack on TrickBot
about how fragile that trust can be.
Scott and our Canadian were witnesses to this American election that's happening after this episode drops, not participants in it.
So I guess just all I really have to say is good luck.
May this be the peak of the distrust and not the beginning.
Thanks for listening.