Trickbot: On the Payroll of the Russian Government

Including distributed denial-of-service (DDoS) attacks, defacements, and attempted sabotage attributed to Kremlin-sponsored actors, IBM analysts have gathered evidence suggesting that the Russian cybercriminal group Trickbot (known as Wizard Spider, DEV -0193, ITG23) systematically attacked Ukraine since the beginning of the Russian invasion of the country, was guided and acted directly in the interests of the special services of the Russian Federation.

From mid-April to mid-June 2022, the Trickbot group conducted at least six cyber campaigns against organizations in Ukraine. The attackers deployed several malware, IcedID, CobaltStrike, AnchorMail and Meterpreter. Before the Russian invasion, the Trickbot gang did not target Ukraine, and the malware used by the group was configured to not run on systems using the Ukrainian language. Systematic attacks observed against Ukraine include registered and suspected phishing attacks against Ukrainian state authorities, Ukrainian citizens and organizations, as well as the general population.

Four of these cyber campaigns were discovered by the Ukrainian government’s computer emergency response team CERT-UA, which is tracking them under the group name UAC-0098.

The company’s experts in the field of cyber security risk analysis and insider threats in the private and public sectors identified two cyber spam campaigns against targets in Ukraine.

As a result of the analysis of the received data, it was established that the cybercrime group ITG23 independently controls the delivery of emails and malware, that is, they are not carried out by independent distribution affiliates. None of these cyber campaigns are compatible with the methods used by ITG23’s known third-party affiliates to deliver useful data to their targets.

Experts also discovered several new malicious programs and tools and established a number of features of cyber campaigns that were conducted directly by ITG23 personnel under the direction of Russia:

  • three out of six cyber campaigns used a malicious Excel downloader used to download useful data that was not present in other cyber campaigns;
  • two campaigns use ISO image files to distribute payloads; these ISO files were likely created by the proprietary ISO builder that powered previous campaigns delivering ITG23 payloads;
  • five out of six cyber campaigns directly download CobaltStrike, Meterpreter or AnchorMail to the target machine. Typically, this payload is downloaded later in an infection that begins with malware such as Trickbot, Emotet, or IcedID (suggesting that these attacks are part of targeted cyber campaigns where ITG23 is ready to immediately deploy higher cost backdoors );
  • the CobaltStrike and IcedID payloads used in four of the six cyber campaigns use ITG23 Tron, Hexa, or Forest crypters (the presence of an ITG23 crypter with a sample is strong evidence that its developer, distributor, or operator may be part of or affiliated with ITG23 with the group).

Therefore, we can expect a further increase in the activity of cyber groups associated with Russia, their criminal activities on a wider scale, as well as an increase in the risk of threats to the financial sector.

Pavlo Kryvenko

Head of AI and Cyber Security Section

He has been working as a Head of the Information and Cyber Security Section, Coordinator of the Artificial Intelligence Platform at the Center for Army, Conversion and Disarmament Studies (Kyiv, Ukraine). Pavlo is the Founder of GODDL company.

He has worked as a member of the delegation of the Communication Administration of Ukraine at the World Radiocommunication Conference (Geneva, Switzerland), as a Cyber Security Consultant at the Bar Association Defendo Capital (Kyiv, Ukraine).

Pavlo has collaborated with the National Communications and Informatization Regulatory Commission and the Ukrainian State Radio Frequency Center for International Frequency Coordination.

He studied at the Institute of International Relations of the Kyiv International University (Ukraine), the Joint Frequency Management Center of the US European Command, the LS telcom AG Training Center (Grafenwöhr, Germany), the UN International Peacekeeping and Security Center (Kyiv, Ukraine).

Contact Us
July 2022
Translate »