17 February 2023

Cyber Sanctions Are Nice; Digital Takedowns Are Better

Annie Fixler, John Hardie

The U.S. Treasury Department and several UK agencies announced sanctions on Thursday against seven members of a Russia-based cybercriminal group known as Trickbot. While these sanctions — the first UK designations targeting cybercriminals — are welcome, crippling the group will require further Western action.

For nearly a decade, the Trickbot gang has stolen online banking information and used ransomware to extort victims, Treasury and the UK government explained. Trickbot is intertwined with other Russian ransomware groups, including Conti and Ryuk. The British announcement blamed Trickbot for cyberattacks on hospitals, including the Irish Health Service Executive. The U.S. government previously called Trickbot “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers” amid a wave of ransomware attacks during the COVID-19 pandemic.

While noting that Trickbot is primarily financially motivated, both the U.S. and UK statements linked the group to Russian intelligence. Moscow has created a “haven for cybercriminals,” Treasury noted, and at times uses them to serve state or private interests. The UK National Cyber Security Centre said Trickbot members “have likely received tasking” from Russian intelligence.

Ahead of the 2020 U.S. elections, both U.S. Cyber Command and an international coalition of companies, led by Microsoft, temporarily disabled Trickbot’s infrastructure over concerns the group would try to disrupt the election. After Conti backed Russia’s invasion of Ukraine, a private researcher leaked a trove of Trickbot data highlighting the group’s connections to Russia’s security services and confirming its relationships with Conti and Ryuk. IBM later revealed that Trickbot has begun systematically targeting Ukraine.

Although a good step, Thursday’s sanctions likely will not achieve more than a marginal financial impact on Trickbot. The sanctions bar U.S. and UK persons from transacting with the seven designated individuals. Other persons who support the hackers could face sanctions as well. But Washington and London refrained from designating Trickbot itself, meaning its victims can still pay ransom to the group so long as they do not transact with sanctioned persons. Although Treasury has previously warned that paying ransoms may run afoul of sanctions, London is reportedly keen to avoid potentially “re-victimizing” hacking targets by making ransomware payments illegal.

However, sanctions are not the only tool the United States and its Western allies have in their arsenals. The new sanctions build on parallel efforts by U.S. and European law enforcement targeting cybercriminal gangs. The Department of Justice (DOJ) on Thursday unsealed an indictment against one of the Trickbot hackers for cyber fraud dating back more than a decade. Three days prior, Russian national Denis Mihaqlovic Dubnikov pleaded guilty to laundering cryptocurrency proceeds from Ryuk ransomware attacks. Dutch authorities had arrested Dubnikov in November 2021 and extradited him to the United States.

Last month, the United States and European countries disabled the digital infrastructure of the cryptocurrency exchange Bitzlato and arrested its senior executives on charges of facilitating criminal payments. The exchange had reportedly facilitated Conti ransomware proceeds, and Treasury labeled it a “primary money laundering concern.” Days later, American, German, and Dutch authorities seized the servers of another Russian ransomware group, known as Hive. Prior to the takedown, FBI agents had hacked into Hive’s networks and quietly provided decryption keys to its victims, starving the group of $130 million in potential ransomware payments, according to DOJ.

UK authorities pledged that Thursday’s sanctions would be the start of a “new campaign of concerted action” against ransomware, in coordination with Washington. The Record reported that additional actions are expected later this year.

As part of this campaign, the two allies should encourage other countries to join their efforts, starting by matching Thursday’s designations. While limited in impact, sanctions are a valuable first step against ransomware actors. To deal Trickbot a harder blow, however, Washington and its allies will need to disable the group’s digital infrastructure and arrest its hackers and moneymen if and when they venture outside Russia.

No comments: