The U.K. and U.S. governments on Thursday sanctioned 11 individuals who are alleged to be part of the notorious Russia-based TrickBot cybercrime gang.
"Russia has long been a safe haven for cybercriminals, including the TrickBot group," the U.S. Treasury Department said, adding it has "ties to Russian intelligence services and has targeted the U.S. Government and U.S. companies, including hospitals."
The targets of the sanctions are administrators, managers, developers, and coders who are believed to have provided material assistance in its operations. Their names and roles are as follows -
- Andrey Zhuykov (aka Adam, Defender, and Dif), senior administrator
- Maksim Sergeevich Galochkin (aka Bentley, Crypt, Manuel, Max17, and Volhvb), software development and testing
- Maksim Rudenskiy (aka Binman, Buza, and Silver), team lead for coders
- Mikhail Tsarev (aka Alexander Grachev, Fr*ances, Ivanov Mixail, Mango, Misha Krutysha, Nikita Andreevich Tsarev, and Super Misha), human resources and finance
- Dmitry Putilin (aka Grad and Staff), purchase of TrickBot infrastructure
- Maksim Khaliullin (aka Kagas), HR manager
- Sergey Loguntsov (aka Begemot, Begemot_Sun, and Zulas), developer
- Vadym Valiakhmetov (aka Mentos, Vasm, and Weldon), developer
- Artem Kurov (aka Naned), developer
- Mikhail Chernov (aka Bullet and m2686), part of the internal utilities group
- Alexander Mozhaev (aka Green and Rocco), part of the team responsible for general administrative duties
Evidence gathered by threat intelligence firm Nisos late last month revealed that Galochkin "changed his name from Maksim Sergeevich Sipkin, and that he has significant financial debt as of 2022."
"The individuals, all Russian nationals, operated out of the reach of traditional law enforcement and hid behind online pseudonyms and monikers," the U.K. government said. "Removing their anonymity undermines the integrity of these individuals and their criminal businesses that threaten U.K. security."
The development marks the second time in seven months the two governments have levied similar sanctions against multiple Russian nationals for their affiliation to the TrickBot, Ryuk, and Conti cybercrime syndicates.
Dmitriy Pleshevskiy, one among those sanctioned in February 2023, has since denied any involvement with the TrickBot gang, stating he used the "Iseldor" alias online to do unspecified programming tasks on a freelance basis.
"These tasks did not seem illegal to me, but perhaps that is where my involvement in these attacks comes in," Pleshevskiy was quoted as saying to WIRED, which unmasked Galochkin as one of the key members of TrickBot after a monthslong investigation.
Two other TrickBot developers have been apprehended and indicted in the U.S. to date. Alla Witte, a Latvian national, pleaded guilty to conspiracy to commit computer fraud and was sentenced to 32 months in June 2023. A Russian named Vladimir Dunaev is currently in custody and pending trial.
An evolution of the Dyre banking trojan, TrickBot started off along similar lines in 2016 before evolving into a flexible, modular malware suite that allows threat actors to deploy next-stage payloads such as ransomware.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats
The e-crime group, which managed to survive a takedown effort in 2020, was absorbed into the Conti ransomware cartel in early 2022, and as evidenced by the roles mentioned above, functioned akin to a legitimate enterprise with a professional management structure.
Conti formally disbanded in May 2023 following a wave of leaks two months earlier that offered unprecedented insight into the group's activities, which, in turn, was triggered by the group's support for Russia in the latter's war against Ukraine.
The anonymous dumps, dubbed ContiLeaks and TrickLeaks, sprang up within days of each other at the start of March 2022, resulting in the release of reams of data on their internal chats and infrastructure online. A prior account named TrickBotLeaks that was created in X (formerly Twitter) was quickly suspended.
"In total, there are approximately 250,000 messages which contain over 2,500 IP addresses, around 500 potential crypto wallet addresses, and thousands of domains and email addresses," Cyjax noted in July 2022, referring to the cache of TrickBot data.
According to the U.K. National Crime Agency (NCA), the group is estimated to have extorted at least $180 million from victims globally, and at least £27m from 149 victims in the U.K.
Despite ongoing efforts to disrupt Russian cybercriminal activity through sanctions and indictments, the threat actors continue to thrive, albeit operating under different names to evade the ban and leveraging shared tactics to infiltrate targets.