“Russian criminal affairs are not going anywhere. In fact, we are now probably closer to security services than ever before,” says John Hultquist, Chief Analyst for Mandiant Intelligence at Google Cloud. “Because they are actually carrying out attacks and doing things that benefit the security service, the security service has every interest in protecting them.”
Analysts have repeatedly concluded that cybercriminals operating in Russia have ties to the Kremlin. And these connections becoming more and more clear. When the UK and US sanctioned members of Trickbot and Conti in February, they claimed the members were associated with “Russian intelligence services.” It further said that some of their actions were “likely” directed by the Russian government, and that the criminals chose at least some of their victims based on “previous targeting by Russian intelligence services.” He added.
The chat logs contained in the Trickleaks data provide valuable insight into the nature of these connections. In 2021, two alleged Trickbot members, Alla Witte and Vladimir Dunaev, appeared in a US court. be prosecuted for cyber crime. Nisos analysis shows that in November 2021, Trickleaks chats showed members worried about their safety and panicking when they lost access to their cryptocurrency wallets. But someone using the handle Silver (probably a senior member of Trickbot) gave me some comfort. They said the Russian Interior Ministry was “against” them, but the intelligence services were “on our side or neutral”. They added that “the boss has the right connections.”
That same month, Manuel’s pseudonym, who has ties to Galochkin, said he believed Trickbot leader Stern had been involved in cybercrime “since 2000,” according to an analysis by Naissos. Another member, known as Angelo, responded that Stern was “the link between us and the FSB rank/department heads.” Previous Conti leaks have also linked to Russian intelligence and security services.
business as usual
Despite global efforts to stop Russian cybercriminal activity through sanctions and prosecutions, gangs like Trickbot continue to thrive. “Not much has changed in any appreciable way,” said Ole Villadsen, a senior analyst in his X-Force security group at IBM. He notes that many of the Trickbot and Conti members are still active, continue to communicate among themselves, and use shared infrastructure to launch attacks. Factions in the group “continue to work together behind the scenes,” Vilasen said.
Chainalysis’ Barnes Coben said the company sees similar long-standing relationships reflected in crypto wallet data. “Since the Conti diaspora, we still see economic interconnections among the old guard,” she says. “There’s still a symbiotic relationship.”
Deterring cybercrime is difficult in different jurisdictions and under different geopolitical conditions. But even with limited influence in Russia (Western law enforcement has little chance of arresting individuals, much less extraditing them), they can name and shame cybercriminals. Efforts can have an impact. Holden, who has studied Trickbots for many years, says Trickbot members react in a variety of ways to being unmasked. “Some people have retired, some people have changed their nicknames, and some people basically just didn’t care because it didn’t have a big impact on the community,” Holden said. But revealing people’s identities could mean they become “unwelcome” within the community, he added.
Cybernite Intelligence CEO Vasovic said that when the Trickleaks account first started posting on Twitter, it also published a photo of Galochkin to expose his identity.With other cybersecurity researchers Blame Ransomware Criminals, Mr Basovic received threats of violence and online harassment after his disclosure. Emails and private chat messages he shared with WIRED showed an unidentified individual claiming to work for multiple anonymous cybercriminal groups threatening not only Basovich but also his children. is reflected.
“They’re trying to stir up fear. And if it works, it works. And if it doesn’t, it doesn’t,” Basovich says. In fact, the person who made the threat insisted to Mr. Basovic that he had already been prosecuted and could no longer take his wife and daughter on trips abroad. This person also claimed that at one point he was interrogated by Russian agents for two hours, specifically regarding Trickbot, before being released. Still, the man seemed reassured that he would not be punished for threatening Vasovich from within Russia’s borders. “No one will be sent to America,” they boasted. “There is no risk here.”