CLEVELAND, Ohio – Within hours, Russian hackers looted $ 471,000 from schools in Avon in a series of illicit wire transfers from district bank accounts.
The next day they tried again, this time unsuccessfully reaching nearly $ 700,000.
Almost two years later, in May 2019, they hit schools in Coventry, damaging Summit County district computers and sending students home for a break before the end of the year. Unlike Avon, the district didn’t lose any money, but spent around $ 80,000 to bounce back from the attack.
“It devastated our network,” said Kelly Kendrick, COO of Coventry. “It came at a cost to the district, as we spent the whole summer rebuilding the system and tightening our security. “
Years later, details of the attacks and their perpetrators were revealed in federal charges filed in Cleveland earlier this month. The allegations mark the government’s first legal attack on TrickBot, an international cybercrime network that has infected millions of computers around the world and seized tens of millions of dollars from unsuspecting banks, governments and businesses.
Cyber attacks are now part of a digital cold war, a new frontier that included hacking Hillary Clinton’s presidential campaign emails in 2016, creating fake social media accounts designed to exploit America’s racial divisions, and strikes against various government institutions. In recent weeks, malware, apparently originating in Russia, has hit the colonial pipeline and global meat packer JBS.
Russian President Vladimir Putin and US President Joseph Biden announced on Wednesday that they plan to work together on cybersecurity measures – a statement that left many skeptics of any meaningful results.
Biden, however, was forceful, telling reporters afterwards that he made it clear that “we have significant cyber capacity. And (Putin) knows it.
The impact of these cybercrimes continues to resonate in Northeast Ohio. School and government administrators spend the summer working on measures to stop attacks and keep their networks secure.
Authorities said Alla Witte and TrickBot played a role in creating this fear.
A federal grand jury in Cleveland has indicted the 55-year-old Latvian national with 19 counts, including bank fraud, wire fraud and multiple conspiracy counts stemming from what authorities have described as her role in the network. Security experts said the arrest offered one of the first glimpses into the origins of TrickBot, a company that expanded in Russia around 2015.
“She wasn’t the linchpin, but she was an integral part of TrickBot,” said Alex Holden, CEO of Hold Security, a Milwaukee cybersecurity company that has been tracking TrickBot for years. “She went from one part of the organization to another, and it shows that they trusted her.”
“It’s hard for school districts”
The developers of TrickBot have created various forms of malware and ransomware to empty bank accounts and introduce viruses to shut down computer systems, according to the indictment in the Witte case. The indictment does not specify how the organization chose and targeted its victims.
The document alleged that TrickBot hit a country club in Ripon, Calif., In December 2016. Eleven months later, in October 2017, it hit Avon schools.
On October 19, 2017, TrickBot obtained four separate wire transfers from the district accounts, totaling $ 471,066, according to the indictment. The next day, TrickBot attempted to access even more, although that attempt failed.
“It’s tough on school districts,” Avon Superintendent Michael Laub said, adding that the insurance had paid for the loss. “Funding is already hard to come by. I’m glad they caught the person, but I had no idea that (the arrest) had taken place.
Almost a year after the strike in Avon, TrickBot obtained the online banking credentials to collect more than $ 750,000 in wire transfers from a real estate company in North Canton, according to the indictment. Federal prosecutors did not identify the company in the document.
Schools in Coventry did not suffer a loss on their bank accounts when the malware hit in May 2019, but the attack spread quickly.
“As soon as we found out, we unplugged all the computers in the district,” said Kendrick, district operations manager. “It shut down our network.”
It affected the neighborhood’s telephones and secure entrances, as well as its heating and cooling systems.
Superintendent Lisa Blough said officials believed the attack was initially triggered by an email opened by an elementary school teacher and that the district quickly froze its accounts. The FBI took charge of the case due to its complexity.
“It taught us a very important lesson to be proactive,” said Blough.
The real estate company and Northeast Ohio school districts weren’t alone. The indictment said TrickBot hit schools in Bennington, Vermont; an electric utility in Eastland, Texas; and a country club in Lynchburg, Virginia, as well as other businesses and governments across the country.
The presumed role of a code author
The indictment says Witte appears to have started working for TrickBot around 2018. The file says she developed malware and ransomware, which informed users that someone had attacked their computers and that they had to buy special software to fix it, with payment via Bitcoin.
Authorities arrested her when she flew to Miami in February. She has denied the charges and remains in a Youngstown jail without bail, awaiting trial. His lawyer, Edward Bryan, declined to comment.
Holden, the head of the cybersecurity firm in Milwaukee, wrote in an online report that Witte was born in the Soviet city of Rostov-on-Don. She then moved to Latvia to study mathematics. She stayed there after it became an independent country, Holden wrote. For the past few years, she has lived in the South American country of Suriname.
“Several members of the group (TrickBot) had Alla Witte records with data,” Holden wrote in the report. “They refer to Alla almost as if they were addressing their mother.”
Federal prosecutors obtained the indictment in August. She was one of seven people charged, the others living in Russia or Ukraine.
The Cleveland indictment remains under seal, but authorities released a redacted version in Miami after his arrest. The names of Witte’s associates have not been made public.
The indictment indicated that others were the head of TrickBot, with Witte playing a role as a malware developer. Holden, however, pointed out in his online report that Witte “acted knowingly and maliciously as a member of the TrickBot gang.”
Authorities hailed his arrest and indictment as a victory for law enforcement.
“This indictment warns other Russian hackers; you will be hunted down and brought to justice, ”said Scott Jasper, senior lecturer at the US Naval Postgraduate School and author of the book“ Russian Cyber Operations: Coding the Boundaries of Conflict ”.
“But these actors rarely stray from Russia, and the Russian government takes too much advantage of the chaos they create in America to deliver them,” he said.
And the thought of it left an impression on Northeast Ohio.
“The very first thing we do in the morning is safety,” said Kendrick of Coventry. “This is something we have to do.”