US sanctions Russian zero-day broker over stolen US defence contractor exploits

The United States Treasury Department has imposed sanctions on two companies that trade in zero-day software exploits, alongside their founders and associates, citing a threat to national security. The action targets Operation Zero, a Russian firm, and its founder Sergey Zelenyuk, for acquiring and reselling stolen US cyber tools.

The sanctions, announced on Tuesday, also extend to an affiliate company in the United Arab Emirates, Special Technology Services, and several individuals connected to the brokers. Officials stated the move aims to disrupt the market for vulnerabilities unknown to software developers, which can be weaponised for espionage or ransomware attacks.

Stolen US Government Tools Sold On

The Treasury’s Office of Foreign Assets Control (OFAC) stated that Operation Zero acquired “at least eight proprietary cyber tools, which were created for the exclusive use of the U.S. government and select allies and which were stolen from a U.S. company,” subsequently selling them to “at least one unauthorised user.”

This coincides with an FBI investigation into Peter Williams, a former general manager at US defence contractor L3Harris’s subsidiary Trenchant. Williams pleaded guilty in October to selling company exploits to a Russian broker, which the Treasury has now confirmed was Operation Zero.

Links to Ransomware and a Second Broker

Operation Zero, launched in 2021, publicly offered multi-million dollar bounties for zero-days in mobile devices and apps like Telegram, claiming to work exclusively with the Russian government. The Treasury alleges its customers “could use the tools to launch ransomware attacks or engage in other malign activities.”

One sanctioned associate, Oleg Vyacheslavovich Kucherov, is suspected of being a member of the Trickbot ransomware gang. Another, Azizjon Makhmudovich Mamashoyev, is alleged to be the founder of a second sanctioned zero-day broker, Advance Security Solutions, based in the UAE.

Zero-day exploit: A software vulnerability that is unknown to the vendor and has no available patch, making it highly valuable to hackers and intelligence agencies.

Legal Basis and Broader Crackdown

The sanctions leverage a 2022 federal law allowing action against those involved in “significant thefts of trade secrets.” This represents a continued US and allied effort to financially disrupt the ecosystem supporting cyber espionage and offensive operations.

Trenchant, the company from which the tools were stolen, develops hacking and surveillance technologies for the US government and its Five Eyes intelligence partners (Australia, Canada, New Zealand, and the United Kingdom). The Treasury did not respond to follow-up questions regarding the sanctions.

Requests for comment sent to Operation Zero, Sergey Zelenyuk, and the other named individuals were not returned. A person operating an Advanced Security Solutions chat account disputed, without evidence, that Mamashoyev is the company's founder.