US sanctions Russian group over $100M cyber hack

Multiple federal agencies on Thursday, including the departments of Justice, State and Treasury, took action against Russians involved in the theft of millions of dollars from bank accounts worldwide through cyber hacking operations.

The Treasury Department’s Office of Foreign Assets Control issued sanctions against a group known as Evil Corp, which is a Russian-based cybercriminal group responsible for the Dridex malware. Officials say this malware has been used to infect computers and steal more than $100 million from hundreds of banks and financial institutions in over 40 countries.  

The sanctions targeted 17 individuals and seven entities associated with Evil Corp, including Evil Corp’s leader, Maksim Yakubets.

In conjunction with the sanctions, the State Department announced a reward of up to $5 million for information that could lead to the capture and conviction of Yakubets, which represents the largest potential reward for a cyber criminal ever issued by the department.

“Treasury is sanctioning Evil Corp as part of a sweeping action against one of the world’s most prolific cybercriminal organizations,” Treasury Secretary Steven Mnuchin said in a statement on Thursday. “This coordinated action is intended to disrupt the massive phishing campaigns orchestrated by this Russian-based hacker group.”

Mnuchin noted that “our goal is to shut down Evil Corp, deter the distribution of Dridex, target the ‘money mule’ network used to transfer stolen funds, and ultimately to protect our citizens from the group’s criminal activities.”

The malware virus has been spread mostly through the use of phishing emails that encourage individuals to click on malicious links or attachments that lead to Dridex being downloaded. Officials say that Evil Corp was able to steal credentials, and then funds from victims’ bank accounts, after the virus was on a system.

In addition to the State and Treasury actions, the Justice Department joined with multiple other U.S. and British agencies in unsealing indictments against both Yakubets and another Russian national, Igor Turashev.

Yakubets and Turashev were charged in relation to computer hacking and bank fraud schemes going back to 2009. A 10-count indictment, which was issued in the U.S. District Court for the Western District of Pennsylvania, charges Yakubets and Turashev with alleged conspiracy, computer hacking, wire fraud and bank fraud in relation to the Dridex malware and its earlier version, known as Bugat.

“Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide,” Assistant Attorney General Brian Benczkowski said in a statement. “These two cases demonstrate our commitment to unmasking the perpetrators behind the world’s most egregious cyberattacks.”

Yakubets and Turashev are alleged in the indictment to have victimized multiple entities in Pennsylvania, including a school district, two banks, a firearm manufacturer, a technology company and a petroleum business. The attacks occurred as recently as March of this year, and involved the theft of millions of dollars, U.S. officials say.

“Deploying ‘Bugat’ malware, also known as ‘Cridex’ and ‘Dridex,’ these cybercriminals targeted individuals and companies in western Pennsylvania and across the globe in one of the most widespread malware campaigns we have ever encountered,” U.S. Attorney Scott Brady for the Western District of Pennsylvania said in a statement. “International cybercriminals who target Pennsylvania citizens and companies are no different than any other criminal: they will be investigated, prosecuted and held accountable for their actions.” 

Beyond the indictment, a criminal complaint was also unsealed Thursday in the U.S. District Court of Nebraska against Yakubets, who along with his co-conspirators is alleged to have used “Zeus” malware to target and victimize 21 municipalities, banks, companies, and non-profit groups in a dozen U.S. states, including a religious group in Nebraska. 

The use of this malware resulted in the theft of around $70 million from the bank accounts of the victims, and an attempted theft of around $220 million. 

The FBI, the United Kingdom’s National Crime Agency and law enforcement groups in the Netherlands, Ukraine, Belarus, Germany and Russia were also involved in actions taken against Yakubets and Turashev.

FBI Deputy Director David Bowdich said that despite the individuals not being in the United States, the actions taken by federal agencies are meant to “expose criminals who hide behind devices and launch attacks that threaten our public safety and economic stability.”

Bowdich emphasized in a statement that “the FBI, with the assistance of private industry and our international and U.S. government partners, is sending a strong message that we will work together to investigate and hold all criminals accountable. Our memory is long and we will hold them accountable under the law, no matter where they attempt to hide.”

The Justice Department previously indicted another individual, Andrey Ghinkul, for spreading the Dridex malware in 2015, while the FBI has also previously taken action to disrupt the global infrastructure used by Evil Corp.