On February 9, 2023, the United States, in coordination with the United Kingdom, designated seven individuals who are part of the Russia-based cybercrime gang Trickbot. The seven Russian individuals sanctioned—Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev and Valery Sedletski—were all alleged by the U.S. Treasury Department to be members of the Russian-based cybercriminal group Trickbot. In addition, they are alleged to be behind attacks on critical infrastructure, including hospitals in both the U.S. and the U.K. during the Covid-19 pandemic, and are associated with Russian intelligence services.
The sanctions announcement represents the very first sanctions of their kind for the U.K. and are a result from a collaborative partnership between the U.S. Department of the Treasury’s Office of Foreign Assets Control and the U.K.’s Foreign, Commonwealth, and Development Office; the National Cyber Security Centre, the National Crime Agency; and His Majesty’s Treasury. This action is the latest effort by Western nations to crack down on Russian hacking operations, which have surged in the past year as a result of the Russian-Ukraine conflict and heightened tensions with the West.
Secretary of State Antony Blinken issued a supporting statement, saying “[t]he United States and the U.K. are leaders in the global fight against cybercrime and are committed to using all available tools to defend against cyber threats,”. He continued, stating “[a]s Russia’s illegal war against Ukraine continues, cooperation with our allies and partners is more critical than ever to protect our national security.” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson echoed Antony Blinken’s statement, saying “[c]yber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system . . . [t]he United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”
Trickbot
Trickbot, first identified in 2016 by security researchers, was a trojan virus that evolved from the Dyre trojan. Dyre was an online banking trojan operated by individuals based in Moscow, Russia, that began targeting non-Russian businesses and entities in mid-2014. Dyre and Trickbot were developed and operated by a group of cybercriminals to steal financial data. The Trickbot trojan viruses infected millions of victim computers worldwide, including those of U.S. businesses, and individual victims. It has since evolved into a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks. During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States, United Kingdom and Ireland. In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.
OFAC New Sanctions Designations
According to OFAC in its announcement, which can be read here in full, Vitaly Kovalev (AKA the online monikers “Bentley” and “Ben”), Maksim Mikhailov (AKA the online moniker “Baget”), Valentin Karyagin (AKA the online moniker “Globus”), Mikhail Iskritskiy (AKA the online moniker “Tropa”), Dmitry Pleshevskiy (AKA the online moniker “Iseldor”), Ivan Vakhromeyev (AKA the online moniker “Mushroom”), and Valery Sedletski (AKA the online moniker “Strix”) of the Trickbot Group are allegedly associated with Russian Intelligence Services. Further, their actions as a member of Trickbot Group have allegedly targeted the U.S. government and U.S. companies.
OFAC designated each of these individuals pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, for having materially assisted, sponsored, or provided material, or technological support for, or goods or services to or in support of, an activity described in subsection (a)(ii) of section 1 of E.O. 13694, as amended.
Read here for more information concerning the OFAC designated individuals and entities.
UK Sanctions
The same seven individuals have been designated in the UK under the Cyber (Sanctions) (EU Exit) Regulations 2020, on the basis of engaging in, supporting with financial or technical assistance, or otherwise facilitating cyber activity which:
- undermines, or is intended to undermine, the integrity, prosperity or security of the UK or another country;
- directly or indirectly causes, or is intended to cause, economic loss to, or prejudice to the commercial interests of, those affected by the activity;
- undermines, or is intended to undermine, the independence or effective functioning of an international organisation, or a non-governmental organisation or forum whose mandate or purposes relate to the governance of international sport or the internet; or
- otherwise affects a significant number of persons in an indiscriminate manner.
Making funds available to the individuals such as paying ransomware, including in crypto assets, is prohibited under these sanctions. Each individual is also prohibited from entering the UK under a travel ban.
A joint statement from the UK entities involved can be found here.
Keeping Your Business Secure
At Herbert Smith Freehills, we understand that managing cyber risk is one of the highest priorities for our clients and actively remain appraised of emerging legal issues in the cyber security realm. This is why we have built a dedicated cyber practice to provide 360-degree cyber risk management and incident response services.
For more information concerning what Herbert Smith Freehills can offer you, please visit the HSF Cyber Risk Advisory page which details how we can help you with all your cyber security needs, including cyber risk and management advisory, incident response, and post-incident response.
***
We will continue to monitor developments in this area, and encourage you to subscribe to be kept informed of latest developments. Please contact the authors or your usual Herbert Smith Freehills contacts for more information.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.