US sanctions Russian cybercriminal group ‘Evil Corp’ over $100M hack
The US Treasury Department announced new sanctions Thursday on a Russian-based cybercriminal organization called “Evil Corp” for using malware to steal more than $100 million from hundreds of banks and financial institutions.
Specifically, Evil Corp used the malware known as Dridex to “infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft,” according to the Treasury Department.
US banks were a prime target, a senior administration official said Thursday.
“Treasury is sanctioning Evil Corp as part of a sweeping action against one of the world’s most prolific cybercriminal organizations. This coordinated action is intended to disrupt the massive phishing campaigns orchestrated by this Russian-based hacker group,” Treasury Secretary Steven Mnuchin said in a statement.
“OFAC’s action is part of a multiyear effort with key NATO allies, including the United Kingdom. Our goal is to shut down Evil Corp, deter the distribution of Dridex, target the ‘money mule’ network used to transfer stolen funds, and ultimately to protect our citizens from the group’s criminal activities,” he added.
The name “Evil Corp” appears to be a reference to the fictional, monolithic corporation in the television series “Mr. Robot.”
The US also unsealed an indictment on Thursday against two Russians as part of a hacking conspiracy beginning in 2011 to defraud companies and others of millions of dollars. A record $5 million reward has been offered for help in arresting the two men, Igor Turashev and Maksim Yakubets.
Yakubets was already on the FBI’s most wanted cybercriminals list and is now accused of leading a gang that used malicious programs to track the keystrokes of American victims and steal their banking login information.
The malware was spread through common spearphishing emails and spam campaigns, allowing the group to access the confidential information of people that clicked an infected link.
Luggage store and order of Franciscan sisters targeted
One of the viruses that targeted small- to mid-sized US companies without robust cyber defenses allegedly caused an estimated $70 million in losses, law enforcement officials said. The victims included a high school in a small steel town in Pennsylvania, a luggage store in New Mexico, and an order of Franciscan sisters, who allegedly had tens of thousands of dollars stolen from them.
“Today’s announcement should make clear to those engaged in cybercrime that we will identify you, we will unmask you, and we will prosecute you, no matter how much effort it requires or how long it might take,” said Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division. “You will never have safe haven from the efforts of the US law enforcement and our international partners.”
While Evil Corp is not named in the indictment, Yakubets is also the organization’s leader, according to the Treasury Department. He also has ties to Russian intelligence services, an administration official said, although neither him nor Turashev are accused in charging documents of receiving backing or direction from the Russian government.
“The group’s leader, Maksim Yakubets, also provides direct assistance to the Russian government’s malicious cyber efforts, highlighting the Russian government’s enlistment of cybercriminals for its own malicious purposes,” the department’s statement said.
Turashev is accused of working with Yakubets in deploying Bugat malware to steal Americans’ finances. The Justice Department had previously accused both Turashev and Yakubets, along with three alleged associates, of related crimes in 2015.
A senior administration official said that the charges reveal “yet another example of the Russian government enlisting” criminals who are behind “cyber crimes to carry out malign activities” on its behalf.
Russai efforts “second in tempo only to Iran”
The official also said Trump administration efforts to target Russia for these kinds of acts are “second in tempo only to Iran.”
“Maksim Yakubets is not the first cybercriminal to be tied to the Russian government. In 2017, the Department of Justice indicted two Russian Federal Security Service (FSB) officers and their criminal conspirators for compromising millions of Yahoo email accounts. The United States Government will not tolerate this type of activity by another government or its proxies and will continue to hold all responsible parties accountable,” the Treasury statement said.
US law enforcement often works with European partners to fight international cybercrime, which can transcend national borders. But it’s struggled to stop crime emanating from Russia, where the constitution forbids extraditing citizens. The US is often forced to use a strategy of sealing indictments and hoping Russian suspects travel to a country friendlier to the US.
“Because these criminals are in Russia, some may ask why pursue them, you may never get your hands on them. It’s difficult, no doubt, but it’s not impossible, as we have shown time and time again over the past number of years,” FBI Deputy Director David Bowdich said at a press conference announcing the new charges and reward.
“The Russian government did provide a response to a mutual legal assistance treaty request. It was a response that was helpful in the investigation to a point,” Bowdich later said. “To a point.”
Several others accused of working with the gang have already been arrested. In 2016, Belarusian authorities convicted and sentenced four people for their role in the scheme.
At least 300 organizations in 43 countries have been affected by the gang’s theft, said Director Rob Jones of the Cyber Crime Unit at the United Kingdom’s National Crime Agency.
In Russia, the indicted men are part of a group that live a “flamboyant” and “cash rich” lifestyle, Jones said, citing online evidence gathered by authorities from the hackers’ associates.
“We’ve been able to identify an online presence for associates of these individuals… which gives you a very good pen portrait of their behavior and the type of lifestyle they lead, which is cash rich, fast cars, behaving and acting like very flamboyant and extravagant millionaires,” Jones said.
CNN’s David Shortell and Nicole Gaouette contributed to this report