US, UK Join Forces to Sanction Trickbot Leaders
In a first for the UK—and de rigueur for the U.S.—the U.S. Department of the Treasury’s Office of Foreign Assets Control and the U.K.’s Foreign, Commonwealth and Development Office, National Crime Agency and His Majesty’s Treasury sanctioned leadership of the notorious Russian cybergang Trickbot.
The mutual action took aim at seven of the group’s top players, according to the Treasury Department:
Vitaly Kovalev was a senior figure within the Trickbot Group. Vitaly Kovalev is also known as the online monikers “Bentley” and “Ben.” Today, an indictment was unsealed in the U.S. District Court for the District of New Jersey charging Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victim bank accounts held at various U.S.-based financial institutions that occurred in 2009 and 2010, predating his involvement in Dyre or the Trickbot Group.
Maksim Mikhailov has been involved in development activity for the Trickbot Group. Maksim Mikhailov is also known by the online moniker “Baget.”
Valentin Karyagin has been involved in the development of ransomware and other malware projects. Valentin Karyagin is also known by the online moniker “Globus.”
Mikhail Iskritskiy has worked on money-laundering and fraud projects for the Trickbot Group. Mikhail Iskritskiy is also known by the online moniker “Tropa.”
Dmitry Pleshevskiy worked on injecting malicious code into websites to steal victims’ credentials. Dmitry Pleshevskiy is also known by the online moniker “Iseldor.”
Ivan Vakhromeyev has worked for the Trickbot Group as a manager. Ivan Vakhromeyev is also known by the online moniker “Mushroom.”
Valery Sedletski has worked as an administrator for the Trickbot Group, including managing servers. Valery Sedletski is also known as the online moniker “Strix.”
“Cybercriminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system,” Under Secretary Brian E. Nelson said in a release. “The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”
Calling the joint effort “a hugely significant moment for the UK and our collaborative efforts with the U.S. to disrupt international cybercriminals,” The UK’s National Crime Agency Director-General Graeme Biggar said, “The sanctions are the first of their kind for the UK and signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies. They show that these criminals and those that support them are not immune to UK action, and this is just one tool we will use to crack down on this threat and protect the public.”
Trickbot first came to light in 2014 or so—though it wasn’t identified until 2016—as a Trojan pawned by the Dyre online banking trojan targeting non-Russian businesses and entities in an effort to steal financial data. In the years since, it has evolved into a modular malware suite that opens up a wide range of versatile illegal activities to operators. The group showed itself to be even more depraved through the COVID-19 pandemic with a barrage of attacks against hospitals and health care centers.
The joint sanctions mean that “all property and interests in property of the individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. OFAC’s regulations generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of blocked or designated persons,” the Treasury release noted.
“These sanctions are a welcome sight despite the fact that they may be academic, since sanctions already exist. What these new sactions could accomplish is to make it harder for the seven involved to launder their ill-gotten gains,” said Timothy Morris, chief security advisor at Tanium. “Also, they will probably be careful with any vacation plans for fear of capture or extradition. It is good to see sanctions and takedowns that have cross-jurisdictional cooperation.”
In some cases, the sanctions could extend to people who “engage in certain transactions” with those Trickbot leaders. “Foreign financial institutions that knowingly facilitate a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions,” Treasury said.
“We’ve not seen any Trickbot activity since the February 2022 blog post. It is highly likely that Trickbot won’t be seen again,” the Intel 471 Threat Research Team noted. “One possible scenario is that the source code may be sold or leaked and other threat actors could re-use it or fork the source into a new project.
”The Trickbot Group may have been stymied by advances in security technology and expertise. Over time, researchers got better at tracking it, antimalware products got better at detecting it and defenders got better at protecting their networks against it,” Intel 471 researchers said. “To add to this, the offensive actions of U.S. Cybercom and Microsoft made Trickbot harder to operate. The Trickbot gang cut their losses and chose Emotet to replace it.”
And the danger isn’t likely to abate. “Whether it is Trickbot, Emotet, Conti or Ryuk, they all need to be defended against. These large criminal gangs, botnet and malware operations tend to have many things in common, including the affiliates that will go to the highest ‘bidder’ when infecting organizations,” said Morris. “Many malware strains have a ‘genealogy’ that can link them. So, as malware evolves, it uses the experience and effectiveness of previous versions to improve—much like legit software companies do.”
