trickbot
Numbers and anger from the boss: That’s how banal everyday office life is for super hackers
This is how you imagine a hacker to be – but in fact it is now entire companies that are behind the attacks.
© Sergei Konkov / Picture Alliance
Nothing is sacred to them: The Russian hacker group Trickbot is also attacking hospitals in order to get high transfer fees as quickly as possible. How the criminals go about it usually remains hidden. But not always.
A inconspicuous Facebook post of the American Ridgeview Hospitals shows the result of the work of Russian hackers. In October 2020, Trickbot took advantage of the Corona emergency and attacked the systems of the clinics. The goal: extort as much money as possible for the activation and disappear invisibly. The statistics of so-called ransomware attacks for the past year show how well business is doing: The damage caused by groups like REvil or Trickbot was an incredible 20 billion euros. And yet very little is known about the people behind the actions, arrests are often only made after years of investigation.
However, the imprisonment of a group like REvil does not act as a deterrent to the scene – rather it serves as an incentive to fill any gaps that have arisen as quickly as possible, according to conversations between the hackers obtained by Wired. The US magazine reports on documents that provide a rare insight into the work of the groups, which often act like corporations.
“This will panic” – Trickbot
From the hackers’ chats and from discussions with experts, it appears that the groups are organized like a real company. There is a CEO, administrative clerks, department heads and even offices. The earnings models consist of basic salaries and high commissions. However, everything else runs less parallel to the legal business world. Real names don’t appear, there are job advertisements on the Darknet and the work is often morally difficult to digest.
According to investigator records and internal documents, there appear to be six individuals at the top end of the organization. Each person brings key skills that make the digital blackmail business possible. These include managers who instruct developers or a kind of command for deploying malicious software to the victims. The head of the operation is a person who calls himself Stern.
Not much is known about the boss. “Stern is the boss,” Alex Holden, owner of IT security firm Hold Security, told Wired. “He doesn’t deal with the technical side of the business. Stern wants reports and figures. He’s responsible for making important decisions, and others will do the rest.”
Chats from high-ranking members with an asterisk also show how professionally the hacker group must be organized. In August 2020, Target wrote to its boss about an upcoming expansion. “We expect 6 offices and 50 to 80 people by the end of September,” he writes. Overall, experts estimate the number of employees at up to 400 people. Kimberly Goody, director of cybercrime at security firm Mandiant, tells Wired the gang may be operating out of St. Petersburg, Russia’s second largest city.
Arrest unlikely in Russia
There is no lack of allusions to cooperation with the Russian government, or at least toleration from the very top. Some chats from the head of the organization deal with the creation of an office for government affairs, while other conversations between hackers and their boss Target reveal that the hackers’ bosses don’t think they need to be afraid of being arrested in Russia. However, the group of people is apparently not limited to Russia – when the Internet was switched off because of the uprisings in Belarus, Stern’s chats read that a developer could not work because of the situation in the neighboring country.
According to Alex Holden, this also explains why there are hardly any ransomware attacks in Russia. “The hackers don’t want to mess with the government,” he tells Wired. In fact, security experts claim to have found out that the mere installation of a Cyrillic keyboard or the use of Russian in the chats can lead to an attack stopping immediately and any infected systems being unlocked again without anything in return. The rest of the world is apparently cleared for launch.
Because instead of being ashamed of the attacks on the overburdened health system, internally they boast about the choice of victims. “See how quickly the clinics get in touch?” asks a high-ranking Trickbot member of a colleague, “the rest will also get in touch within the next few days,” it continues. The work orders read similarly ruthless: “Get the hospitals in the US ready this week. That’ll cause panic,” wrote a hacker named Target. He sent a list of 428 possible destinations.
The pressure is growing
Insights like Wired’s are also the result of arrests and court documents, as authorities around the world, often including the FBI and Europol, jump at every opportunity to stop the hackers. In the case of Trickbot’s biggest competitor REvil, it seems to have been this international pressure that ultimately led to 14 suspected members being arrested in January 2022. Only the gang themselves know why Trickbot continues to feel safe.
sources: CancerOnSecurity, Wired, wwo, Brian Krebs