The next day, they tried again, this time unsuccessfully reaching for nearly $700,000.
Nearly two years later, in May 2019, they hit Coventry schools, damaging the Summit County district’s computers and sending students home for a break before the end of the year. Unlike Avon, the district did not lose any money, but it spent an estimated $80,000 rebounding from the attack.
“It devastated our network,” said Kelly Kendrick, Coventry’s director of operations. “It cost the district a lot, as we spent all summer rebuilding the system and amping up our security.”
Years later, the details about the attacks and who led them have come out in federal charges filed in Cleveland earlier this month. The allegations mark the government’s first legal assault on TrickBot, an international cybercrime network that infected millions of computers globally and seized tens of millions of dollars from unsuspecting banks, governments and businesses.
Cyberattacks have become part of a digital Cold War, a new frontier that included the hacking of Hillary Clinton’s presidential campaign emails in 2016, the creation of fake social media accounts designed to exploit America’s racial divisions and strikes on various government institutions. In recent weeks, malware, reportedly from Russia, hit the Colonial Pipeline and the global meatpacker JBS.
On Wednesday, Russian President Vladimir Putin and U.S. President Joseph Biden announced that they plan to work together on cybersecurity measures — a statement that has left many skeptical of meaningful outcomes.
Biden, however, was forceful, telling reporters afterward that he made it clear that “we have significant cyber capability. And (Putin) knows it.”
The impact of such cybercrimes continues to resonate across Northeast Ohio. Administrators in schools and governments are spending the summer working on measures aimed at stopping the attacks and keeping their networks safe.
Authorities said Alla Witte and TrickBot had a role in creating that fear.
A federal grand jury in Cleveland indicted the 55-year-old Latvian national on 19 charges, including bank fraud, wire fraud and multiple counts of conspiracy stemming from what authorities described as her role in the network. Security specialists said the arrest offered one of the first looks at the origins of TrickBot, an enterprise that developed in Russia in about 2015.
“She wasn’t the kingpin, but she was an integral part of TrickBot,” said Alex Holden, chief executive officer of Hold Security, a cybersecurity firm in Milwaukee that has tracked TrickBot for years. “She moved from one part of the organization to another, and that shows that they had trusted her.”
‘It’s hard on school districts’
TrickBot’s developers created various forms of malware and ransomware to drain bank accounts and introduce viruses to shut down computer systems, according to the indictment in Witte’s case. The indictment does not specify how the organization chose and targeted its victims.
The document alleged that TrickBot hit a country club in Ripon, California, in December 2016. Eleven months later, it struck Avon schools.
On Oct. 19, 2017, TrickBot obtained four separate wire transfers from the district’s accounts, totaling $471,066, the indictment said. The next day, TrickBot tried to access even more, though that attempt failed.
“It’s hard on school districts,” Avon Superintendent Michael Laub said, adding that insurance paid for the loss. “Funding already is hard to come by. I’m glad that they caught the person, but I didn’t have any idea that (the arrest) had happened.”
Nearly a year after the strike in Avon, TrickBot obtained the online banking credentials to grab more than $750,000 in wire transfers from a real-estate business in North Canton, according to the indictment. Federal prosecutors did not identify the firm in the document.
Coventry schools did not suffer a loss from its bank accounts when the malware struck in May 2019, but the attack did spread quickly.
“As soon as we learned about it, we unplugged every single computer in the district,” said Kendrick, the district’s director of operations. “It shut down our network.”
It affected the district’s phones and security access, as well as its heating and cooling systems.
Superintendent Lisa Blough said officials believe the attack initially struck through an email opened by an elementary school teacher, and the district quickly froze its accounts. The FBI took over the case because of its complexity.
“This taught us a very important lesson in being proactive,” Blough said.
The real-estate firm and the Northeast Ohio school districts weren’t alone. The indictment said TrickBot hit schools in Bennington, Vermont; an electrical company in Eastland, Texas; and a country club in Lynchburg, Virginia, as well as other businesses and governments across the country.
A code writer’s alleged role
The indictment said Witte appeared to begin working for TrickBot in about 2018. The filing said she developed malware and ransomware, which told users that someone had attacked their computers and that they needed to buy special software to fix it, with payment through Bitcoin.
Authorities arrested her when she flew into Miami in February. She has denied the charges, and she remains in a Youngstown jail without bond, pending her trial. Her attorney, Edward Bryan, declined to comment.
Holden, the leader of the cybersecurity firm in Milwaukee, wrote in an online report that Witte was born in the Soviet city of Rostov-on-Don. She later moved to Latvia to study math. She remained there after it became an independent country, Holden wrote. For the past few years, she has lived in the South American country of Suriname.
“Several (TrickBot) group members had Alla Witte folders with data,” Holden wrote in the report. “They refer to Alla almost like they would address their mothers.”
Federal prosecutors obtained the indictment in August. She was one of seven people charged, with the others living in either Russia or Ukraine.
The indictment in Cleveland remains under seal, but authorities released a redacted version in Miami following her arrest. The names of Witte’s associates have not been made public.
The indictment listed others as leading TrickBot, with Witte playing a role as a malware developer. Holden, however, stressed in his online report that Witte “acted knowingly and maliciously as a part of the TrickBot gang.”
Officials hailed her arrest and indictment as a victory for law enforcement.
“This indictment puts other Russian hackers on notice; you’ll be tracked down and brought to justice,” said Scott Jasper, a senior lecturer at the U.S. Naval Postgraduate School and the author of the book “Russian Cyber Operations: Coding the Boundaries of Conflict.”
“But these actors seldom stray from Russia, and the Russian government benefits too much from the chaos they create in America to hand them over,” he said.
And the thought of that has left an impression on Northeast Ohio.
“The very first thing we do in the morning is security,” said Coventry’s Kendrick. “It is something we have to do.”
©2021 Advance Local Media LLC. Distributed by Tribune Content Agency, LLC.
