Sign up for our newsletter
Technology / Cybersecurity

Inside Trickbot: How to run a cybercrime empire

The arrest of a 55-year-old Latvian national exposed the inner workings of a sprawling criminal enterprise.

Kelly Kendrick first noticed something was wrong two weeks before the FBI came calling. As director of operations at the Coventry Local Schools District in Akron, Ohio, Kendrick had been receiving reports from teachers about computers freezing and blinking out. The first couple of cases seemed like anomalies. Then it kept happening.

By the time Kendrick called the Northeast Ohio Network for Educational Technology in May 2019 for assistance, the malfunctions were happening more than once a day. After scanning the network, NEOnet called Kendrick with an update. Their machines, they said, were infested with Trickbot, a type of malware that not only harvests bank login and payroll information but automatically spreads from computer to computer along local networks. Consequently, the district’s local networks needed to be shut down immediately.

Kendrick felt dazed. “It was surreal,” she recalls. “It was like any natural disaster, I assume, where you’re just in the moment and thinking, ‘We can still solve this problem, we can still get it done.’ But then, as the hours rolled on, you realise, ‘This is so big.’”

Shutting down the network would have significant implications for teaching across the district. Staff wouldn’t be able to communicate using email, much less work on their lesson plans. The safety of the premises itself was also called into doubt. Anxiety gripped the teaching staff, who began peppering Kendrick with questions about how the hack happened, what data had been exposed, and whether staff would still get paid at the end of the month.

White papers from our partners

Answers would have to wait, at least until all computers in the district could be disconnected from the network. The next day, the superintendent closed the schools while Kendrick and the rest of the teaching staff ran up and down the premises yanking Ethernet cables from the back of around a thousand computers. “With the Trickbot virus, time is against you,” says Kendrick. “You have to work very quickly because it can spread very quickly.”

With the Trickbot virus, time is against you. You have to work very quickly.
Kelly Kendrick, Coventry Local Schools District

The superintendent’s email was soon picked up by local media. Then the FBI made contact. “They were invaluable,” says Kendrick, providing help and advice to rebuild the district’s crippled networks. The timing was also fortuitous. Not only had NEOnet discovered the Trickbot hack just before the malware reached the payroll department, but also before the school broke up for the summer. Kendrick now had extra leeway to overhaul the district’s network, at a total cost of $80,000.

The staff are still “on heightened alert” two years on, says Kendrick. Improved security procedures, however, brought little closure – especially given the FBI’s advice that, since the attack likely originated abroad, there was virtually no chance of a successful prosecution.

That changed earlier this year, when Kendrick received a letter from the Department of Justice inviting her to the arraignment of a 55-year-old woman named Alla Witte. Apprehended in February on a trip to Florida, the Latvian national had been charged with facilitating the hack of Coventry Schools, among others. With her arrest came the publication of a 61-page indictment that revealed not only how the district had been infiltrated, but the inner workings of a malware empire estimated to have stolen hundreds of millions of dollars.

A corporate enterprise

“Alla Witte is a nice person,” says Alex Holden, founder of Hold Security. The cybersecurity expert has been investigating the group behind Trickbot for the better part of four years, and as such has a unique perspective on Witte’s participation in the organisation. “By every account, even from cybercriminals themselves, she’s just a nice human being.”

trickbot Witte
A 61-page indictment from the US Department of Justice revealed Alla Witte’s alleged involvement in the so-called ‘Trickbot Group’. (Image courtesy of Hold Security/Facebook)

She is also, according to the FBI, an adept malware designer. From 2018 until her arrest in Florida, Witte was a member of the Trickbot Group, designing not only its ransomware but also software to track clients’ use of its products. From her home in the Netherlands and later Suriname, her handiwork could be traced to attacks on targets across Europe, Australia and North America. Even so, says Holden, Witte’s role in the Trickbot Group was analogous to that of an IT manager.

“I know law enforcement is trying to trumpet her importance,” he explains, with a DOJ press release claiming that Witte faces a combined jail term of 87 years if convicted. But Witte was just a small part of what remains a sprawling criminal enterprise of at least 200 people, Holden says. “You’ve got to imagine a cybercriminal organisation [that has] a lot of extensions, a lot of connections,” he says, offering malware-as-a-service from bases in Belarus, Ukraine and Russia.

The inner circle of the gang, however, appears to be Russian. The group’s origins can be traced back to 2015, when Moscow police raided a similar organisation called Dyre. While its activity ‘slowed significantly’ according to the indictment, no arrests were made public. Instead, the group reconstituted itself as Trickbot and invented its namesake malware, gradually building a sophisticated botnet that infected first hundreds, then thousands of computers around the world.

It wasn’t until 2018, however, that the group began to expand to its present size. “In the spring of that year, we see a huge recruitment drive,” says Holden, with dozens of small-time cybercriminals abandoning their operations to join the Trickbot Group. By this point, the gang had professionalised recruitment, creating its own human resources department to acquire fresh talent. “They went out to freelancing sites,” says Holden, advertising seemingly legitimate work. After a series of interviews and tests, the candidate would be informed that this was, in fact, blackhat hacking.

“This is how Alla Witte was recruited,” says Holden. The process was not foolproof. In one conversation recorded in the indictment, a Trickbot manager told a colleague to remove suspicious-sounding words like ‘inject’ from their jobs ads. On another occasion, a different manager, referred to as CC8, had a heated conversation with a subordinate over one applicant’s misgivings. “We need to stop communicating with idiots,” CC8 said, with the subordinate replying that most candidates seemed to understand what they were applying for. CC8 sounded wary: “If they ask additional questions, this person is not suitable.”

Witte was certainly one of the gang’s more promising prospects. In the three years she spent with the gang, the indictment alleges, Witte helped write the code that allowed the gang to ‘manage and track authorized users of the Trickbot malware to the Trickbot Group,’ as well as film a helpful video tutorial for other members explaining how it worked. She also partly authored the malware’s ransomware module, creating a web interface for hackers and the means for victims to pay ransoms to a dedicated Bitcoin wallet.

Her colleagues in Trickbot’s technology department were equally industrious. Much of its malware’s success can be attributed to its modular structure. What began life as a simple banking Trojan gradually acquired 28 additional plugins, allowing users to conduct remote desktop scanning, control individual machines remotely, and spread across multiple computers connected to the same network automatically. Eventually, it became more profitable to sell access to Trickbot-infected networks to other hacking groups. Meanwhile, the organisation’s development team repeatedly tested for vulnerabilities to antivirus programs. From 2016 to 2020, says the indictment, they modified one piece of injection code ‘approximately 700 times.’

The result was one of the world’s most effective pieces of malware powered by its largest botnet. Trickbot’s targets were diverse. In the United States alone, the gang’s targets included school districts, country clubs, law firms, an electric service company and a county government, among others. Other victims were scattered as far afield as the UK, Canada, India, Mexico and Australia. The gang also owed its success, says Holden, to its rigid chain of command.

“There are captains, there are officers, there are assistants,” he says, a corporate structure in keeping with its prodigious ambition. One might compare it to a start-up’s evolution into an internet giant – or more accurately, says Holden, a union of street gangs transforming itself into a mafia.

In December 2015, Russian police raided premises housing the ‘Dyre’ cybercrime gang in Moscow’s Capital City skyscraper (centre-left). The group would later reconstitute itself as Trickbot. (Photo by Dimitar Dilkoff /AFP via Getty Images)

Trickbot and its global outlook

Throughout this process, Witte remained an outlier. For one thing, she chose to live in the Netherlands and Suriname, territories hardly known for denying US extradition requests. Witte’s security hygiene was also terrible. She left breadcrumbs about her double life all over social media, and at one point even installed Trickbot malware on her personal website, likely exposing her to investigators who had already infiltrated the organisation’s user database. “For any cybersecurity person, these are just unforgivable mistakes,” says Holden.

Despite this, Witte was well-liked within the organisation. “She was very sociable,” says Holden, sometimes to the point of flirtatiousness. “They were a bit surprised to find out her age once she got arrested.”

The gang’s current plans are the most ambitious that I have ever seen any criminal enterprise undertake outside of state-sponsored groups.
Alex Holden, Hold Security

None of them were panicked, though. While Witte was trusted and valued by the Trickbot Group, Holden has found no indication that her arrest was viewed as anything other than a temporary setback. Indeed, he adds, “the gang is growing,” despite recent attempts by first US Cyber Command and then Microsoft to stop its operations last autumn. While this probably did succeed in preventing major ransomware campaigns against voting infrastructure in the run-up to the US presidential election, it failed to prevent the group from hacking a string of hospitals in the same period.

That is not the behaviour of a criminal organisation lying low, says Holden. If anything, the Trickbot Group turned the US counterattack into an opportunity for restructuring, dividing its hackers into smaller groups and directing them toward individual targets. The organisation’s dedication to the task at hand frightens the cybersecurity veteran. “The gang’s current plans are the most ambitious that I have ever seen any criminal enterprise undertake outside of state-sponsored groups,” says Holden.

Even so, Holden doesn’t dismiss the possibility that the Trickbot Group have some connection to the Russian government. In a conversation recorded by the indictment, one defendant told the other in 2016 that “they should say thank-you [sic] to us that we are stealing money from the Americans”. Even if ‘they’ doesn’t indicate direct state sponsorship, Holden finds it hard to believe that the organisation grew to its present size without the tolerance of government officials. This, combined with Russia’s traditional reluctance to extradite cybercriminals, has seen the group develop in new and unexpected ways. They are “not limiting themselves to what we would say are ‘conventional’ measures of ransomware or other types of attacks,” says Holden, ominously.

For her part, Witte’s arrest has been one of Kendrick’s few opportunities to obtain closure for the Coventry Schools hack. Before leaving, the FBI managed to trace the initial Trickbot infection to an email attachment downloaded in the district’s elementary school. Since this news was revealed to the teaching staff, they’ve been forwarding Kendrick countless suspicious emails from would-be phishers. “And they’re getting more creative in how they approach it,” she says of the hackers. “They’re using the superintendent’s name. They’re using the treasurer’s name.”

Although she didn’t expect it, Kendrick would have liked to have heard more from the FBI about the investigation as it progressed. Rebuilding the network has been a lonely undertaking. “In the old days – and by that, I mean three years ago – schools were not focused on cybersecurity,” says Kendrick. Now, there are special insurance products designed to help districts rebuild after hacks. The prospect of another attack, at any time, “is very real to us,” says Kendrick. “And it should be very real to everyone.”

Greg Noone

Features writer

Greg Noone is a feature writer for Tech Monitor.