The Federal Criminal Police Office of Germany (Bundeskriminalamt or BKA) has identified the individual believed to be the mastermind behind the infamous Trickbot and Conti cybercrime gangs. This suspect, Vitaly Nikolaevich Kovalev, a 36-year-old Russian, also known as “Stern,” is accused of orchestrating and leading a highly structured network responsible for global cyber attacks. This blog delves into their operations, impacts on victims, and possible actions for cybersecurity teams.

Overview of Trickbot and Conti Operations

Trickbot, also dubbed ‘Wizard Spider,’ is a sophisticated cybercrime group known for its use of complex malware strains and organized operational structure.

The Leader: Vitaly Nikolaevich Kovalev

Kovalev, under the alias “Stern,” is alleged to have been the linchpin of the Trickbot and Conti operations. His leadership involved orchestrating malware attacks and managing a network comprising more than 100 members, following a hierarchy that reflected a corporate-like structure.

Malware Arsenal

• Trickbot Malware
• BazarLoader
• SystemBC
• IcedID
• Ryuk
• Conti
• Diavol

The group utilized these tools to infest systems worldwide, including several hundred thousand in Germany alone, achieving illicit financial gains in the three-digit million range.

Impact of Cyber Attacks

Who Were the Victims?

• Hospitals
• Public Facilities
• Corporate Entities
• Government Departments
• Private Individuals

The impact of the Trickbot and Conti operations was widespread and devastating, affecting various sectors, particularly critical infrastructure like hospitals and public services.

The Role of Leaked Conversations

Insights from TrickLeaks and ContiLeaks

Internal communications referred to as TrickLeaks and ContiLeaks provided crucial evidence pointing to Kovalev’s leadership role. These leaks highlighted the organized approach and internal communication, underscoring the structural complexity of the operations.

The messages illustrated how members sought approval from Stern before launching attacks and legal counsel for arrested members, leading to the eventual dismantling of the Conti gang.

Law Enforcement Actions

International Efforts

Following the exposure of Kovalev’s operations, an Interpol red notice was issued, marking him as wanted for leading an unnamed criminal organization. In parallel, previous sanctions in the United States in February 2023 targeted him alongside six other Russians, recognizing his involvement under several aliases: “Bentley,” “Bergen,” “Alex Konor,” and “Ben.”

Remediation and Recommendations for Cybersecurity Teams

Identifying and Containing Threats

• Vulnerability Scanning: Regularly perform scans to identify weaknesses in your systems.
• Malware Detection Tools: Implement robust anti-malware solutions to detect and neutralize threats instantly.

Mitigating Risks

• Incident Response Plan: Develop a comprehensive incident response plan covering all scenarios, from detection to recovery.
• Regular Patching: Ensure systems and software are up-to-date with the latest security patches.

Employee Training and Awareness

• Regular Training: Conduct consistent training sessions on phishing and other social engineering tactics.
• Secure Practices: Promote best practices for password management and multi-factor authentication usage.

To prevent future incidents, organizations must address vulnerabilities diligently, maintain up-to-date defenses, and instill a culture of awareness among employees.

By understanding the methods and operations of cybercriminal organizations like Trickbot, cybersecurity teams can fortify their defenses and contribute to global efforts to combat cybercrime.