Microsoft leads operation to take down botnet

Washington DC

MICROSOFT organised 35 nations on Tuesday to take down one of the world's largest botnets - malware that secretly seizes control of millions of computers around the globe. It was an unusual disruption of an Internet criminal group, because it was carried out by a company, not a government.

The action, eight years in the making, was aimed at a criminal group called Necurs, believed to be based in Russia. Microsoft employees had long tracked the group as it infected nine million computers around the world, hijacking them to send spam e-mails intended to defraud unsuspecting victims. The group also mounted stockmarket scams and spread ransomware, which locks up a computer until the owner pays a fee.

Over the past year, Microsoft's Digital Crimes Unit has been quietly lining up support from legal authorities in countries around the world, convincing them that the group had seized computers in their territories to conduct future attacks.

"It's a highway out there that is used only by criminals," Amy Hogan-Burney, the general manager of the Digital Crimes Unit and a former FBI lawyer, said on Tuesday. "And the idea that we would allow those to keep existing makes no sense. We have to dismantle the infrastructure."

The team struck on Tuesday, from an eerily empty Microsoft campus. Tens of thousands of workers had been ordered to stay home because the area near the headquarters in Redmond, Washington, has been a hot spot for the coronavirus. But taking down a botnet, the company concluded, was not a work-from-home task.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

After cleansing the Digital Crimes Unit's command centre to eliminate any live viruses, a small team of Microsoft workers gathered in a conference room at 7 am, flipped open their laptops and began coordinating action against another kind of global infection.

As soon as a federal court order against the Necurs network was unsealed, they began prearranged calls with authorities and network providers around the world to strike Necurs at once, cutting off its connections to computers around the globe.

"Was Mongolia hit? I think it was in the court order," one Microsoft employee asked. There was debate about Somalia - "a very last-minute win", another noted - and discussion of the fact that Nevis, the Caribbean island, was both the birthplace of Alexander Hamilton and an unwitting host for a small element of the botnet.

"Tajikistan?" one person in the room asked, looking for it to turn green on a map overhead, indicating that the botnet had been neutralised there. "No joy yet."

Rapidly, they took over or froze six million domain names that Necurs was using or had inventoried for future attacks. A domain name can be a website but Necurs had created an algorithm to spawn millions of new domains, often with deceptive names, for future use against unsuspecting victims. Microsoft engineers had cracked the code.

Domain names are sold around the world, a profitable business, but Ms Hogan-Burney said she had no illusions that the group would be permanently disabled. "We've cut off their arms, for a while," she said.

Necurs is not believed to be a state-sponsored Russian group. But intelligence officials said it is tolerated by the Russian state, and on regular occasions the Kremlin's intelligence services use private actors to pursue their goals.

The Internet Research Agency, which mounted the social media disinformation campaign on Facebook and other platforms during the 2016 US presidential election, was a private group, though founded by a close friend of Russian President Vladimir Putin.

By Tuesday's end, there was satisfaction that, for the 18th time in 10 years, Microsoft had taken down a digital criminal operation. But it was unclear whether anyone would be indicted; or even if indicted, whether they would ever face a trial. NYTIMES