The U.S. Department of Justice (DoJ) recently announced the sentencing of a Russian national, Ilya Angelov, to two years in prison for his involvement in managing a botnet that facilitated ransomware attacks on American businesses. At 40 years old, Angelov hails from Tolyatti, Russia, and was also ordered to pay a fine of $100,000. Known by his online aliases “milan” and “okart,” he was a key figure in a cybercriminal organization termed TA551, also recognized by various names such as ATK236, G0127, Gold Cabin, Hive0106, Mario Kart, Monster Libra, Shathak, and UNC2420, which operated between 2017 and 2021.
According to the DoJ, Angelov’s group constructed a network of compromised computers, commonly referred to as a “botnet.” This was achieved by distributing malware-infested files concealed within spam emails. The group’s strategy involved not just managing the botnet but also monetizing it by selling access to the individually compromised systems—referred to colloquially as “bots.”
The intricacies of their operations were extensively documented in a sentencing memorandum, revealing that the group had developed specialized software to disseminate spam emails and enhance malware capabilities to evade detection by security measures. Angelov, alongside his co-manager, played crucial roles in recruiting members and overseeing the myriad activities undertaken by the group. A particularly insidious method employed was the installation of a backdoor into victims’ computers, allowing the introduction of malicious software at will.
Primarily, the attacks orchestrated by TA551 aimed to sell access to these compromised systems to other criminal factions, which in turn utilized this access for ransomware extortion schemes. A significant aspect of their operation occurred between August 2018 and December 2019, during which TA551 provided the BitPaymer ransomware group access to its botnet. This collaboration led to the infiltration of 72 corporations across the U.S., ultimately resulting in a staggering $14.17 million in extortion payments.
In late 2019 or early 2020, the IcedID malware operators further bolstered their own criminal activities by paying Angelov’s group over a million dollars for access to the botnet, allowing the distribution of ransomware, although the full scale of the damage caused is still being evaluated. This partnership is believed to have emerged following the disruption of the BitPaymer group, akin to similar arrangements that continued until approximately August 2021, as confirmed by the U.S. Federal Bureau of Investigation (FBI).
A report issued by Mandiant, a Google-owned cybersecurity firm, in February 2021 elaborated on the T551 operations, detailing how phishing emails containing password-protected archives tricked victims into opening macro-enabled Microsoft Word documents. This manipulation led to the deployment of a downloader known as MOUSEISLAND, serving as a conduit for a secondary payload codenamed PHOTOLOADER, which eventually installed the IcedID malware. Both MOUSEISLAND and PHOTOLOADER have been identified as being associated with TA551.
In November 2021, the cybersecurity firm Cybereason revealed that the operatives behind the TrickBot trojan were forming alliances with TA551 to facilitate the distribution of Conti Ransomware. Around the same time, France’s Cyber Emergency Response Team (CERT-FR) disclosed that the Lockean ransomware group had sought services from TA551 after law enforcement had dismantled the Emotet botnet at the beginning of 2021.
U.S. Attorney Jerome F. Gorgon Jr. emphasized the threat posed by foreign cybercriminals targeting American individuals and enterprises, highlighting the increasingly sophisticated methods employed by these criminals, while reiterating their unchanged motive: to deceive and harm citizens of the U.S.
Interestingly, this sentencing of Angelov comes on the heels of another significant development. The DoJ revealed that a fellow Russian national, 26-year-old Aleksei Olegovich Volkov—known as “chubaka.kor” and “nets”—was sentenced to nearly seven years in prison after pleading guilty to serving as an initial access broker (IAB) for Yanluowang ransomware attacks, which compromised eight U.S. firms between July 2021 and November 2022.
These unfolding events highlight the ongoing battle between U.S. law enforcement and sophisticated cybercriminal networks, emphasizing an urgent need for vigilance and robust cybersecurity measures in the face of evolving threats.