Welcome to cyberwar: The U.S., in collaboration with the UK, has imposed sanctions on eleven members of the Russia-based Trickbot cybercrime organization allegedly protected by Russia. This move was initiated by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). Simultaneously, the U.S. Department of Justice (DOJ) charges nine individuals linked to the Trickbot malware and Conti ransomware operations, seven sanctioned by OFAC.
The OFAC Cyberwar Sanctions
According to the OFAC, the Russian individuals sanctioned today are integral members of the Trickbot group, which has connections to Russian intelligence and has targeted the U.S. government, businesses, and healthcare facilities, especially during the COVID-19 crisis.
Those sanctioned include Trickbot‘s administrators, managers, developers, and coders. This action emphasizes the U.S. and UK’s joint effort to curb Russian cybercrime and follows a previous joint designation in February 2023.
Trickbot: Russia’s Infamous Cyber Gang
Trickbot background: Trickbot, taken down in 2022, was malware designed to steal money and aid ransomware installation, impacting hospitals, schools, and businesses with massive financial losses. It acted as an initial intrusion vector into victim computer systems for ransomware variants like Conti, which targeted over 900 global victims, including in 47 U.S. states and 31 countries. In 2021, the FBI noted Conti as the leading ransomware attacking critical infrastructure.
In 2016, Trickbot evolved from the Dyre trojan, an online banking malware created by Moscow-based cybercriminals. It has affected millions globally, especially in the U.S. During the COVID-19 peak in 2020, Trickbot launched ransomware attacks on U.S. healthcare facilities, which are seen as part of the ongoing cyberwar. The group even boasted about their successful attacks. They have ties to Russian intelligence and have aligned their actions with Russian state goals.
Key members of the Trickbot group, sanctioned by OFAC, include:
- Andrey Zhuykov: Senior administrator, also known as Dif and Defender.
- Maksim Galochkin: Led a testing team, known as Bentley, Crypt, and Volhvb.
- Maksim Rudenskiy: Coding team leader.
- Mikhail Tsarev: Managed HR and finance, known by various monikers.
- Dmitry Putilin: Involved in Trickbot infrastructure procurement, known as Grad and Staff.
- Maksim Khaliullin: HR manager, known as Kagas.
- Sergey Loguntsov: Developer.
- Vadym Valiakhmetov: Coder, known as Weldon, Mentos, and Vasm.
- Artem Kurov: Coder, known as Naned.
- Mikhail Chernov: Part of internal utilities, known as Bullet.
- Alexander Mozhaev: Admin team member, known as Green and Rocco.
OFAC has designated these Trickbot-related individuals based on Executive Orders for their significant support of malicious cyber activities. The details of the sanctioned individuals can be found here on the OFAC website.
Implications of the Sanctions
The sanctions are part of the cyberwar between the US and Russia. Due to these sanctions, all assets of the sanctioned individuals within the U.S. or under U.S. control must be blocked and reported. Engaging in transactions with these individuals could lead to further sanctions. Foreign financial institutions aiding these individuals might face U.S. sanctions. The sanctions aim to induce positive behavioral change rather than mere punishment.