The U.S. Justice and Treasury departments took action Wednesday against a Russian hacking group known as “Evil Corp.,” which stole “at least” $100 million from banks using malicious software that swiped banking credentials, according to a joint press release.
“Evil Corp.,” a name reminiscent of the nickname for the key malevolent corporation in the popular television drama “Mr. Robot,” is “run by a group of individuals based in Moscow, Russia, who have years of experience and well-developed, trusted relationships with each other,” according to a Treasury Department press release.
The criminal group used a type of malware known as “Dridex,” which worked to evade common antivirus software and spread through emailed phishing campaigns. Once infected, the malware was able to steal login credentials and empty the accounts of bank employees and bank customers, forwarding the proceeds to offshore accounts held by Evil Corp, according to the press release. The group also stole an estimated $70 million using a similar malware known as “Zeus.”
The federal agencies say Evil Corp.’s criminal proceeds likely are “significantly higher” than the estimated $100 million stolen, making the enterprise one of the biggest hacking groups ever, according to the release.
The Justice Department announced indictments against key ringleaders of the group, while the Treasury Department announced sanctions against Evil Corp. under the department’s Office of Foreign Assets Control (OFAC).
“Treasury is sanctioning Evil Corp as part of a sweeping action against one of the world’s most prolific cybercriminal organizations. This coordinated action is intended to disrupt the massive phishing campaigns orchestrated by this Russian-based hacker group,” said Steven Mnuchin, Secretary of the Treasury, in a statement. “OFAC’s action is part of a multiyear effort with key NATO allies, including the United Kingdom. Our goal is to shut down Evil Corp, deter the distribution of Dridex, target the “money mule” network used to transfer stolen funds, and ultimately to protect our citizens from the group’s criminal activities.”
The group targeted major corporations in addition to bank accounts using a variety of methods. Penneco Oil allegedly lost millions of dollars to Evil Corp., which were then transferred to a bank in Minsk, Belarus. The group also targeted, apparently unsuccessfully, the Sharon City School District in Western Pennsylvania, among other targets outside the financial services sector.
In all, the action targets 17 individuals associated with the organization, including Evil Corp.’s leader, Maksim Yakubets. The State Department has offered a $5 million reward for information on Yakubets.
In addition to his cybercriminal activities, Yakubets, “also provides direct assistance to the Russian government’s malicious cyber efforts, highlighting the Russian government’s enlistment of cybercriminals for its own malicious purposes,” according to the Treasury Department.
OFAC, Treasury and the Justice Department have been focused on taking action to spotlight the Russian government’s persistent use of known criminals in state-sponsored activity, which they have said blurs the lines between whether the activity is the work of strictly a criminal enterprise or Putin’s government itself.
However, it is rare for the U.S. government to successfully extradite criminals it has indicted from Russia, where most of those named in Wednesday’s action currently reside. Two Ukrainian co-conspirators named in the indictments, Yuriy Konovaleko and Yevhen Kulibaba, were extradited from the U.K. and pleaded guilty to conspiracy and racketeering charges in 2015. Both have already completed their sentences.
In addition to Yakubets, the actions name Denis Gusev “a senior member of Evil Corp,” who serves as the director of several other businesses based in Russia, including Biznes-Stolitsa, Optima, Treid-Invest, TSAO, Vertikal and Yunikom, which are involved in several different industries, among them trade, wholesale goods and forestry. The companies are also subject to OFAC sanctions, according to Treasury.
“Evil Corp relies upon a cadre of core individuals to carry out critical logistical, technical, and financial functions such as managing the Dridex malware, supervising the operators seeking to target new victims, and laundering the proceeds derived from the group’s activities.” Some of the other members cited for allegedly “providing material assistance” in this way, according to Treasury, are Dmitriy Smirnov, Artem Yakubets, Ivan Tuchkov, Andrey Plotnitskiy, Dmitriy Slobodskoy, and Kirill Slobodskoy.