Microsoft takes down Russian botnet in global op

WASHINGTON • Microsoft this week organised 35 nations to take down one of the world's largest botnets - malware that secretly seizes control of millions of computers around the globe. It was an unusual disruption of an Internet criminal group because it was carried out by a company, not a government.

The action, eight years in the making, was aimed at a criminal group called Necurs, believed to be based in Russia. Microsoft employees had long tracked the group as it infected nine million computers around the world, hijacking them to send spam e-mails to defraud victims. The group also mounted stock market scams and spread ransomware, which locks up a computer until the owner pays a fee.

Over the past year, Microsoft's digital crimes unit has been quietly lining up support from global legal authorities, convincing them that the group had seized computers in their territories.

The team struck on Tuesday from the Microsoft campus in Redmond, Washington, where they gathered in a conference room at 7am and began coordinating action against Necurs. As soon as a federal court order against the Necurs network was unsealed, they began prearranged calls with the authorities and network providers around the world to cut off Necurs' connections to computers. They took over or froze six million domain names that Necurs was using or had inventoried for future attacks.

Ms Amy Hogan-Burney, the general manager of the digital crimes unit and a former FBI lawyer, said she had no illusions about the group being permanently disabled. "We've cut off their arms, for a while," she said.

Necurs is not believed to be a state-sponsored Russian group. But intelligence officials say it is tolerated by the Russian state, and that on regular occasions the Kremlin's intelligence services use private actors to pursue their goals.

The Internet Research Agency, which mounted the social media disinformation campaign on Facebook and other platforms during the 2016 US presidential election, was a private group, though founded by a close friend of President Vladimir Putin of Russia.

Tuesday's operation was the 18th time in 10 years that Microsoft had taken down a digital criminal operation. But it was unclear whether anyone would be indicted.

"The cyber criminals are incredibly agile," said Mr Tom Burt who leads Microsoft's security and trust operations, "and they come back more sophisticated, more complex. It is an ultimate cat-and-mouse game."

The next battlefield would be the US presidential election later this year. "They will play many of the same moves they used in 2016," Mr Burt said. "But they will use others as well," including the possibility of ransomware that locks up local voter registration systems.

NYTIMES

A version of this article appeared in the print edition of The Straits Times on March 12, 2020, with the headline 'Microsoft takes down Russian botnet in global op'. Subscribe