The Justice Department has charged 11 Russian men in connection with a hacker group that is behind some of the biggest cyberattacks in the world, including destructive hacks against major hospital chains.
In concurrent statements announcing sanctions against the men, the U.S. Treasury Department and the U.K. government made the rare public claim that the alleged cybercriminals have explicit ties to Russian intelligence.
In a series of three indictments unsealed Thursday, the Justice Department accused the 11 men of helping run Conti, one of the most notorious ransomware gangs, and developing Trickbot, a malicious software that Conti has used to gain access to victims’ computer networks.
Ransomware is a type of cybercrime in which hackers encrypt victims’ computer systems, rendering them unusable, and then demand a ransom payment for a key to fix the damage. Many ransomware groups will also steal their victims’ personal data and threaten to publish it online if they’re not paid.
The announcement is the first public action a government has taken against Conti, which since 2020 has hacked and extorted major organizations, including Western governments, with seeming impunity. Conti’s victims included San Diego-area hospital chain Scripps Health and Ireland’s national health care system in 2021, and Costa Rica’s tax collection system last year, prompting the country to declare a state of emergency.
Cybersecurity experts have long inferred connections between Russia’s thriving cybercrime scene, where hackers who attack foreign targets seem to operate with impunity, and Russia’s security services. Thursday’s announcements were rare in that the U.S. and U.K. made those accusations explicit.
The U.K.’s sanctions announcement said that Conti was “one of the first to offer support for Russia’s invasion of Ukraine, maintaining links and receiving tasking from the Russian Intelligence Services.”
The Treasury Department said that Trickbot’s developers have “ties to Russian intelligence services.”
Russia’s Ministry of Foreign Affairs didn’t respond to an email requesting comment.
Russia’s Constitution forbids extraditing its citizens, so there is little chance the men will be arrested if they remain in the country.
Earlier this year, U.S. intelligence found that a Russian hacker group that had gained access to a Canadian gas infrastructure company was taking orders from handlers at Russia’s FSB, according to a top-secret memo that leaked online.
Brett Callow, an analyst at the ransomware recovery firm Emsisoft, said that Conti was the second-most prolific ransomware group that targeted hospitals, and that it tended to go after the large hospital chains and governments in hopes of getting a large payday.
“I would assume this was because they found attacks on these sectors to have a better than average ROI,” Callow said.