Flying under the radar on Clownstrike day last week, two members of the Cyber Army of Russia Reborn (CARR) hacktivist crew are the latest additions to the US sanctions list.

Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, named by the US government as CARR's leader and attacker-in-chief respectively, were designated for their alleged roles in attacks on US critical national infrastructure.

Despite much of CARR's work since its inception in 2022 revolving around what the US Department of the Treasury describes as "low-impact, unsophisticated DDoS attacks in Ukraine," the group was blamed for various attacks on US and European water facilities earlier this year.

Back in January, CARR claimed responsibility for attacks on human-machine interfaces (HMIs) controlling OT systems in the US and Poland via its Telegram channel. Water supply, hydroelectric, wastewater, and energy facilities were affected by the remote manipulation of controls, which also led to the overflowing of water storage tanks in Abernathy and Muleshoe, Texas. Tens of thousands of gallons of water were lost, officials said.

CARR is also said to be responsible for an attack on a US energy company's SCADA system, which handed them control of arms and pumps connected to tanks, the Treasury said.

"Despite CARR briefly gaining control of these industrial control systems, instances of major damage to victims have thus far been avoided due to CARR's lack of technical sophistication," the announcement reads.

Specifically, this is alleged to be the work of Degtyarenko, a Russian national who also developed training materials for compromising SCADA systems.

Mandiant previously attributed these attacks to Sandworm - an offensive cyber unit inside Russia's military intelligence arm, GRU. A report from the infosec giant in April said CARR was just one of the many Telegram accounts Sandworm used to publicize its attacks, but the US hasn't explicitly made these links in announcing Pankratova and Degtyarenko's designation.

As is often the case when sanctioning Russian cybercriminals, it becomes illegal to do business with the pair, although arresting the individuals is unlikely as Russia would never give up its assets in cyberspace to an adversary.

"CARR and its members' efforts to target our critical infrastructure represent an unacceptable threat to our citizens and our communities, with potentially dangerous consequences," said Brian E Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence. 

"The United States has and will continue to take action, using our full range of tools, to hold accountable these and other individuals for their malicious cyber activities."

Although the US may never get its hands on the CARR pair, they will remain on allied watchlists forever more, which means arrests further down the line can't be ruled out.

Even the most prolific and successful cybercriminals in Russia sometimes let their guard down. For example, Mikhail Vasiliev, a 34-year-old former LockBit affiliate dual national of Canada and Russia, was arrested in 2022 after entering Canada on a trip - away from the Kremlin's protection.

Earlier this year he was sentenced to four years in prison for ransomware crimes and last week pleaded guilty to further charges brought to him in New Jersey.

Alongside Vasiliev was fellow LockBit affiliate Ruslan Magomedovich Astamirov. The 21-year-old admitted to two counts related to computer abuse and wire fraud, and faces a maximum sentence of 25 years. Sentencing dates for both criminals are yet to be set.

"Between 2021 and 2023, Vasiliev… deployed LockBit against at least 12 victims, including businesses in New Jersey, Michigan, the United Kingdom, and Switzerland," said the Department of Justice. "He also deployed LockBit against an educational facility in England and a school in Switzerland. Through these attacks, Vasiliev caused at least $500,000 in damage and losses to his victims."

"The defendants committed ransomware attacks against victims in the United States and around the world through LockBit, which was one of the most destructive ransomware groups in the world," said principal deputy assistant attorney General Nicole M Argentieri, head of the Justice Department's Criminal Division.

"But thanks to the work of the Computer Crime and Intellectual Property Section, along with its domestic and international partners, LockBit no longer claims that title. Today's convictions represent another important milestone in the Criminal Division's ongoing effort to disrupt and dismantle ransomware groups, protect victims, and bring cybercriminals to justice."

"Two members of the LockBit affiliate pleading guilty to their crimes in US federal court illustrate we can stop them and bring them to justice," said James E Dennehy, special agent in charge at FBI Newark. "These malicious actors believe they can operate with impunity - and don't fear getting caught because they sit in a country where they feel safe and protected. FBI Newark and our law enforcement partners around the globe have the technology and intelligence to go after these criminals - regardless of where they hide." ®

https://www.theregister.com//2024/07/22/russians_sanctioned_over_cyberattacks/