



US and UK launch historic joint cyber sanctions

WASHINGTON Today, the United States, in coordination with the United Kingdom, is designating seven individuals who are part of the Russian-based cybercrime gang Trickbot. This action represents the first-ever sanctions of its kind for the UK and is the result of a collaborative partnership between the US Department of the Treasury Office of Foreign Assets Control and the UKs Foreign, Commonwealth, and Development Office; National Crime Agency; and Her Majesty’s Treasury to disrupt Russian cybercrime and ransomware.

Cybercriminals, especially those based in Russia, seek to attack critical infrastructure, target American companies and exploit the international financial system, said Under Secretary Brian E. Nelson. The United States is now acting in partnership with the United Kingdom because international cooperation is essential to combat Russian cybercrime.

Russia is a haven for cybercriminals, where groups such as Trickbot freely conduct malicious cyber activities against the US, UK and their allies and partners. These malicious cyber activities targeted critical infrastructure, including hospitals and medical facilities during a global pandemic, in the United States and the United Kingdom. Last month, the Treasury Financial Crimes Enforcement Network (FinCEN) identified a Russian-based virtual currency exchange, Bitzlato Limited, as a major money laundering concern in connection with Russian illicit financing. The United States and United Kingdom are leaders in the global fight against cybercrime and are committed to using all authorities and tools available to defend against cyber threats.

This action follows other recent sanctions measures taken jointly by the United States and the United Kingdom, including under the Russian and Burmese programs, as well as last year’s multilateral action against the Kinahan Crime Group. It also reflects the conclusion of the 2021 Sanctions Review that sanctions are most effective when coordinated with international partners and highlights the deep partnership between OFAC and the UK Office of Sanctions Implementation. financial.

Trickbot: a notorious cybergang in Russia

Trickbot, first identified in 2016 by security researchers, was a Trojan virus that evolved from the Dyre Trojan. Dyre was an online banking trojan operated by individuals based in Moscow, Russia that began targeting non-Russian companies and entities in mid-2014. Dyre and Trickbot were developed and exploited by a group of cyber criminals to steal financial data. The Trickbot Trojan viruses have infected millions of victim computers worldwide, including those of US companies and individual victims. It has since evolved into a highly modular malware suite that enables the Trickbot group to carry out various illegal cyber activities including ransomware attacks. During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States. In one such attack, the Trickbot group deployed ransomware against three Minnesota medical facilities, disrupting their computer and phone networks and causing ambulances to be hijacked. Members of the Trickbot group have publicly raved about the ease of targeting medical facilities and the speed with which ransoms were paid to the group.

Current members of the Trickbot group are associated with Russian intelligence services. Preparations for Trickbot groups in 2020 aligned them with Russian state objectives and targeting previously conducted by Russian intelligence. This included targeting the US government and US companies.

Vitaly Kovalev was a senior member of the Trickbot group. Vitaly Kovalev is also known by the online nicknames Bentley and Ben. Today an indictment was dropped in the U.S. District Court for the District of New Jersey charging Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victims’ bank accounts held at various US-based financial institutions. which happened in 2009 and 2010, before his involvement in Dyre or the band Trickbot.

Maksim Mikhailov has been involved in development activities for the Trickbot group. Maksim Mikhailov is also known as Baget online.

Valentin Karyagin has been involved in the development of ransomware and other malware projects. Valentin Karyagin is also known as Globus online.

Mikhail Iskritskiy worked on money laundering and fraud schemes for the Trickbot group. Mikhail Iskritskiy is also known as Tropa online.

Dmitry Pleshevskiy worked on injecting malicious code into websites to steal victims’ credentials. Dmitry Pleshevskiy is also known by the online nickname Iseldor.

Ivan Vakhromeyev worked for the Trickbot group as a manager. Ivan Vakhromeyev is also known as Mushroom online.

Valery Sedletski worked as an administrator for the Trickbot group, including server management. Valery Sedletski is also known as Strix online.

OFAC designates each such person pursuant to Executive Order (EO) 13694, as amended by EO 13757, to have materially assisted, sponsored, or provided material or technological support, or goods or services to or to the supporting an activity described in subparagraph (a)(ii) of section 1 of EO 13694, as amended.

Consequences of sanctions

As a result of today’s action, all property and interests in property of individuals that are in the United States or in the possession or control of US persons must be blocked and reported to OFAC. OFAC regulations generally prohibit all transactions by U.S. persons or within the United States (including transactions transiting through the United States) that involve property or interests in the property of blocked persons or designated.

In addition, persons who engage in certain transactions with Designated Persons today may themselves be exposed to designation. In addition, any foreign financial institution that knowingly facilitates a material transaction or provides material financial services to any of the persons or entities named today could be subject to US correspondent or payment account sanctions.

OFAC’s sanctions authority and integrity derives not only from its ability to designate and add individuals to the Specially Designated Nationals and Blocked Persons (SDN) list, but also from its willingness to remove individuals from the SDN list in accordance with the law. The ultimate goal of sanctions is not to punish but to bring about a positive change in behavior. For more information on the process for requesting removal from an OFAC list, including the SDN list, please refer to OFAC’s 897 Frequently Asked Questions. For detailed information on the process of submitting a request to be removed from an OFAC sanctions list, please visit OFAC’s website.

See OFAC’s Updated Advisory on the Potential Risk of Sanctions to Facilitate Ransomware Payments for more information on actions that OFAC would consider mitigating factors in any related enforcement action involving payments. ransomware with potential risk of penalties. For more information on complying with virtual currency sanctions, see OFAC’s Sanctions Compliance Guide for the Virtual Currency Industry. See also the UK’s Office of Financial Sanctions Implementations recently published guidance on financial sanctions and ransomware.

For more information on today’s nominees, click here.

For more information on the action in the UK, click here.

###

