Reports concerning the impact of cyber operations, directed at both Russian and Ukrainian targets, have been many and varied. While it’s a step too far, in the eyes of most experts, to describe what has been happening as cyber warfare, it’s certainly accurate to suggest that ongoing cyber incidents are a reality. Beyond the ever-present disinformation campaigns, a highly organized cybercrime group appears to have entered the field of conflict. In an apparent change of tactics from being a purely financially motivated criminal business, this Russian cybergang is thought to be Trickbot.
Exclusive: The Trickbot Leaks
I can exclusively report that threat intelligence specialist Cyjax has today published an in-depth analysis delving deep into the heart of the Trickbot cybergang. Months of painstaking research through hundreds of leaked documents has resulted in what is possibly the most comprehensive breakdown of a significant international cybercrime syndicate I’ve seen. Covering everything from membership and management to operational infrastructure, these are the Trickbot Leaks.
The Russian invasion of Ukraine was the catalyst for cybergang chaos
Russian cybercrime groups were not only placed into a difficult position at the start of what Putin still refers to as a special military operation but what proved to be an impossible one. Although working out of Russia and likely with the state turning a blind eye to their activities if not actively sponsoring them, many of these groups comprised both Russian and Ukrainian nationals. The Conti cybercrime group, one of the most successful ransomware operators, was no exception. The day after the invasion, it posted a declaration officially offering full support to the Russian government and pledging to use “all possible resources to strike back at the official infrastructures” of anyone, or any country, targeting Russia in a cyberattack scenario.
Needless to say, this was something akin to kicking a hornet’s nest: Conti had Ukrainian members who did not support the Russian operation, and the global intelligence community had little choice but to take a renewed interest in the group. Within 48 hours, Conti retracted the statement and pledged only to target Western warmongers, as they put it. However, the seeds of discontent were already sewn, and that same day an account called ContiLeaks started posting logs of internal Conti communications to Twitter. Cyjax was able to access a dump of some 60,000 such messages. A few days later, on 4 March, another account called Trickleaks posted that it had evidence of collaboration between Trickbot and the Federal Security Service (FSB), the primary security service in Russia.
The Trickbot Leaks eventually consisted of more than 1,000 communication extracts, 250,000 messages, 2,500 IP addresses, and 500 potential crypto wallet addresses. PDF files were also leaked, Cyjax reports, “containing large amounts of information” that appeared to be about individual members. These became known in-house as the Doxing PDF files.
Analyzing the leaks: delving deep inside the Trickbot cybergang
The Trickbot Leaks make the Conti disclosures all but pale into insignificance, being not only four times the size but containing much more helpful information from the threat intelligence perspective. Of course, researching and analyzing this data was far from a straightforward task. Cyjax had to develop a bespoke set of tools and processes. By way of example, standard language translation tools encountered difficulty in dealing with slang and nuance. One Russian word that directly translates to toad was actually referring to the Jabber messaging service. “While this research took time and required the development of bespoke tools to analyze the data,” Joe Wrieden, the primary intelligence analyst at Cyjax involved in the report, told me, “I feel we have uncovered some key information that will help shape the way we view threat actors such as Trickbot. I was surprised by the level of sophistication, not only from a technical standpoint with malware and infrastructure but also with the complex management systems used to run the organization.”
The key findings of this deep dive into the Trickbot Leaks, and consequently the criminal cybergang itself, can be divided into three areas: members, operational infrastructure, and business management.
The sheer quantity and quality of personal information leaked about members of the Trickbot organization was genuinely unprecedented. Cyjax analysts say they could determine overall member counts (at least 133 individuals) and locations, position within the gang, dates of birth, tax details, passport numbers, email and other contact details, and more. These Doxing PDFs appear to have combined open source intelligence (OSINT) data with insider knowledge. “It is clear whoever is behind this leak was either very close to the group itself,” the report states, “or had broad access to the group’s records.” In conversation with Chris Spinks, head of operations at Cyjax, he expressed surprise “given the level of personal detail in these leaks and the resources of the U.S. Department of Justice as well as Europol,” that “indictments have not been raised against the majority of these named threat actors.”
Trickbot business management
It became evident, very quickly, that Trickbot is not a ragtag collection of some criminal actors who are also proficient coders. “This is a large business which operates at a commercial level,” Cyjax states. This means it comes complete with a human resources system and salaried employees. The analysis reveals that Trickbot even has access to lawyers and, Cyjax concludes, is “very much a criminal advanced persistent threat” operation. Most developers recruited into Trickbot were salaried at around $2,000 per month and allocated line managers. Efficient payment systems are used to encourage work of high quality. This is especially important in ensuring that development teams are agile enough to quickly evolve the malware in response to commercial cybersecurity defenses and, more often than not, negate them.
Trickbot members were found to be organized into distinct groups by role, managed by senior players. So, there was a crypter group developing malware obfuscation tools and a locker group responsible for developing “fast and efficient encryption systems” to be built into both ransomware payloads and wiper malware. Inter-group collaboration is another essential part of the business strategy. Trickbot works alongside other cybercrime outfits to improve their technical capabilities and gain reputational leverage within the broader criminal community.
Trickbot operational infrastructure
Regarding the technical stuff, the operational infrastructure employed by the Trickbot cybergang, among the more critical components are bots and loaders. These support both the group’s management structure and effective malware distribution. The bots host malicious files for phishing and attack vectors. The loaders, meanwhile, take care of the command and control functions and delivery of secondary payloads. Multiple other server hosts were identified, which took on roles such as malware development, antivirus, and crypter detection testing, and various proxies to add further protective layers to the operation.
“We see the threat actors actively building bespoke exploits to defeat antivirus with an in-house capability,” Spinks says. “We also see they are willing to reach out when they cannot develop things fast enough. Reliance on singular defense mechanisms such as antivirus or single vendor cover is clearly not providing the defensive layering needed to prevent this threat from gaining traction within the networks.”
IBM’s X-Force intelligence team says Trickbot is now actively aiming at Ukrainian targets
According to the latest analysis from IBM’s X-Force intelligence team, Trickbot has been systematically attacking Ukrainian targets. X-Force tracks the Trickbot group as ITG23 and confirms that the recent anti-Ukraine campaigns “differ from historical precedent” and are aimed at a wide range of state, business, and individual targets. The recent activity, X-Force analysts, stated, “highlights a trend of this group choosing targets that align with Russian state interests against the backdrop of the ongoing conflict.”
Then there’s the small matter of Conti. Until recently, the most successful and undoubtedly best-known of the ransomware groups, Conti, apparently shut down its infrastructure back in May, but things are not always what they seem in this murky criminal world. One industry expert working on the frontline of offensive security put it, the threat and people behind them within Conti haven’t gone away; it’s all just franchises and brands. Conti had been vocal in its support of targeting those working against the Russian Federation during the invasion of Ukraine. Before the shutdown, Conti was also reported to have gotten involved with the Trickbot operation as well. If Russian Conti ‘patriots’ are involved with Trickbot now, that could explain the apparent shift from purely a criminal business to one aligned with Russian state interests.
Remember I just said that things are not always what they seem? Yes, we have to return there. “We have had several discussions around the state-sponsored factor. There is not enough evidence within the leak to provide clarity in this matter; however, for sure, inference can be drawn,” Spinks told me. He says that what’s interesting is understanding the nuance between state-sponsored and state-supported. “Maybe these are two factors that have influenced the deployment of key individuals and tools into the Russian cyber offensive,” Spinks continues, “and maybe the ability to draw on these tools when required is the payoff for operating without prosecution?” Ultimately, though, the truth is at this point, we don’t know for sure. If it isn’t already a time-served cybersecurity industry adage, it should be: attribution is a bitch.
The Trickbot Leaks: in conclusion
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
“This research helps businesses know the enemy,” Spinks says, “through a better understanding of the dynamic nature and capability within the threat group and a more thorough understanding of the processes undertaken by the threat actors around reconnaissance and targeting and indeed recruitment.”
I will leave the final words to Cyjax intelligence analyst Joe Wrieden, though: “The crossover between the higher-ups of Conti and Trickbot paints a picture of a new threat landscape that is highly interconnected and capable, and one where threat actors work together for a common goal.” Research and analysis such as this in-depth dive into the Trickbot cybergang, “enables businesses and researchers to appropriately manage the risk these threat actors pose, in a scenario where it is a cybercrime business versus your business.”