US sanctions Russian exploit broker for buying cyber tools stolen from defense contractor

The U.S. Treasury Department sanctioned a Russian national and his company for allegedly acquiring eight proprietary cyber tools that were stolen from the American defense contractor L3 Harris and sold to "unauthorized" customers.

The sanctions center around Russian national Sergey Sergeyevich Zelenyuk, his St. Petersburg-headquartered company Operation Zero, and five other associated people and entities.

Through Operation Zero, Zelenyuk bought and sold proprietary exploits, spyware and other hacking tools, explicitly marketing them to customers from non-NATO countries and foreign intelligence agencies.

The Russian company was involved in the case of Peter Williams — an Australian national who formerly led Trenchant, the division of the defense contractor L3Harris that deals with spyware and zero day vulnerabilities. 

He pleaded guilty to two counts of theft of trade secrets in October after prosecutors accused him of selling national security software that included at least eight “sensitive and protected cyber-exploit components” that were only supposed to be sold to the U.S. government and approved allies. 

Cybersecurity journalist Kim Zetter was first to tie the case to Operation Zero, which was not initially named in court documents. 

The U.S. government linked Williams to Operation Zero on Tuesday, saying he sold the exploits to Operation Zero for $1.3 in cryptocurrency payments, and confirmed that some of the tools he stole from his employer L3Harris were passed on to other unauthorized users by Zelenyuk. 

In addition to the Treasury sanctions, the State Department is also issuing its own sanctions on Zelenyuk, Operation Zero, and an affiliated UAE company called Special Technology Services (STS).

The State Department said these are the first sanctions under a new law known as the Protecting American Intellectual Property Act that is designed to penalize anyone who benefits from the theft of trade secrets. 

U.S. officials said Zelenyuk has bought and sold exploits since 2021, offering millions of dollars to cybersecurity researchers for exclusive vulnerabilities that could be exploited in commonly used software. 

Operation Zero does not tell affected companies about the vulnerabilities it finds and allows customers to use them for any kind of attacks, including ransomware. The company has also sought other digital tools to steal information and to recruit hackers as well as burnish relationships with foreign intelligence agencies. 

The Treasury Department also sanctioned Zelenyuk’s assistant, Marina Evgenyevna Vasanovich, the UAE-based affiliate STS, and Oleg Vyacheslavovich Kucherov — an alleged member of the long-running Trickbot cybercriminal gang.

Trickbot is one of the most prolific Russian cybercriminal operations and is accused of being behind dozens of cyberattacks that have caused billions in damages globally. 

Another associated offensive cybersecurity company, Advance Security Solutions, was included in the sanctions for its role in offering bounties for exploits in U.S. software. The company is allegedly controlled by Azizjon Makhmudovich Mamashoyev and is run out of the UAE and Uzbekistan. 

Kucherov and Mamashoyev “have previously had work relationships with Operation Zero,” Treasury said, but did not elaborate on the connection between the cybercriminal gang and the company. 

During Williams’ trial in October, prosecutors warned that international cyber brokers “are the next wave of international arms dealers” and said his theft cost L3Harris $35 million. 

The tools he sold provided foreign cyber actors with “sophisticated cyber exploits that were likely used against numerous unsuspecting victims,” according to prosecutors.