The U.S. Department of Justice and Treasury took action Thursday against the Russian hacking group Evil Corp, which said in a joint statement that it used malware to steal bank credentials and stole “at least” $100 million from several banks. According to a press release issued by the U.S. Treasury Department, the “evil company” is “run by a group of individuals in Moscow, Russia, who have many years of experience and have developed good relationships of trust with each other.”
The criminal group uses a malware called “Dridex” that avoids common anti-virus software and spreads through phishing activities via email. Once targeted, the malware can steal login credentials, empty the accounts of bank employees and customers, and transfer illegal proceeds to offshore accounts held by “evil companies,” the press release said. In addition, the group used a similar malware called Zeus to steal about $70 million.
The Press Release said the U.S. Department of Justice and Treasury Department believed that the proceeds of the “evil company” were likely to be “much higher” than the $100 million estimated stolen, meaning the company was one of the largest hacking organizations in history.
The U.S. Department of Justice announced charges against the group’s chief executive, while the U.S. Treasury Department announced that the department’s Office of Foreign Assets Control (OFAC) would impose sanctions on “evil companies.”
“The U.S. Treasury Department is sanctioning Evil Companies, one of the world’s most prolific cybercrime organizations, as part of a comprehensive effort we will take. The coordinated operation was aimed at disrupting a large-scale phishing operation orchestrated by the Russian hacking group. Treasury Secretary Steven Mnuchin said in a statement. “THE OFAC HAS WORKED FOR YEARS WITH KEY NATO ALLIES, INCLUDING THE UK, AND THIS OPERATION IS PART OF THAT EFFORT. Our goal is to shut down the ‘evil company’, stop Dridex from spreading, crack down on the ‘money mule’ network used to transfer stolen funds, and ultimately protect our citizens from the group’s criminal activities. “
In addition to bank accounts, the organization uses a variety of methods to target large companies. The oil company Penneco Oil was allegedly stolen millions of dollars by “evil companies” that were then transferred to a bank in Minsk, Belarus. In addition, the group has attacked the Sharon City School District in western Pennsylvania and other targets other than the financial services industry, apparently without success.
Overall, the operation targeted 17 people involved, including Maksim Yakubets, the head of The Evil Company. The U.S. State Department has offered a $5 million reward for information on Yakubet.
In addition to being suspected of cybercrime, Yakubetz “provided direct assistance to the Malicious Cyber activities of the Russian government, highlighting the Russian government’s recruitment of cybercriminals for its own malicious purposes,” the Treasury Department said.
THE OFAC, TREASURY AND JUSTICE DEPARTMENTS HAVE FOCUSED THEIR EFFORTS ON ACTION TO TRY TO EXPOSE THE RUSSIAN GOVERNMENT’S CONTINUED USE OF KNOWN CRIMINALS IN STATE-BACKED ACTIVITIES. But the U.S. government has rarely succeeded in extraditing alleged criminals from Russia, where most of the people named in Thursday’s operation are now living. The two Ukrainian accomplices named in the indictment, Yuriy Konovaleko and Yevhen Kulibaba, were extradited from the UK to the United States in 2015 and have pleaded guilty to conspiracy and extortion charges. Both have served their sentences.
In addition to Yakubetz, denis Gusev is a senior member of the ‘Evil Company’ and serves on several other companies in Russia, such as bBiznes-Stolitsa, Optima, Treid-Invest, TSAO, Vertikal and Yunikom are among the companies in trade, wholesale commodities and forestry. The Treasury said the companies would also be subject to OFAC sanctions.
“The Company relies on a core group of people to perform key logistical, technical, and financial functions, such as managing malware, supervising operators trying to find new victims, and laundering,” the press release said. The U.S. Treasury Department said other members were accused of “providing material assistance” to the group in this way, including Dmitry Smirnov, Artem Yakubets and Ivan Tuchkov. Andrey Plonitskiy, Dmitri Yslobodskoy and Kirill Slobodskoy.