Two Russians indicted over Dridex and Zeus malware
The US Department of Justice has indicted two Russian citizens over their alleged role in the distribution of the virulent Bugat, or Dridex, and Zeus banking trojans
Two Russian citizens have been indicted in the US over their alleged role in the dissemination of the Bugat – more recently known as Dridex – and Zeus banking trojans, described as two of the worst computer hacking and bank fraud schemes of the past decade.
The indictments mark the culmination of a multi-year, multinational investigation which, besides US law enforcement, included the UK’s National Crime Agency (NCA) and the Metropolitan Police.
The two men, both currently believed to be in Russia, are Maksim Yakubets, who has been charged for his alleged role as the leader of an organised criminal gang responsible for the distribution of the Bugat malware package, and co-conspirator Igor Turashev.
Both men were indicted in Pittsburgh, Pennsylvania, on 10 counts, including conspiracy, computer hacking, wire fraud and bank fraud. Additionally, Yakubets, who went by the online handle “Aqua”, has been charged in a criminal complaint in Lincoln, Nebraska, over his role in the dissemination of Zeus.
Bugat targeted Windows users through macros in Microsoft software, which executed and downloaded the trojan when its targets opened email attachments in Word or Excel. Zeus, which also affected Microsoft Windows endpoints, stole banking credentials through keylogging and form grabbing, and was also used to install the CryptoLocker ransomware strain.
Speaking at a press conference in Washington DC, US assistant attorney general Brian Benczkowski said: “Yakubets is a true 21st century criminal who, with the stroke of a key and the click of a mouse, committed cyber crimes across the globe. He has earned his place on the FBI’s list of the world’s most-wanted cyber criminals.
“Yakubets and his co-conspirators did not discriminate in their choice of targets. For example, the Nebraska complaint alleges that Yakubets was directly involved in the theft of tens of thousands of dollars from a religious order of Franciscan sisters.
“Maksim Yakubets and the members of his criminal networks devised and implemented the kinds of criminal schemes so audacious and sophisticated that they would be difficult to imagine if they were not real.
“Each and every one of these computer intrusions was, effectively, a cyber-enabled bank robbery. We take such crimes extremely seriously and will do everything in our power to hold these criminals to justice”
Brian Benczkowski, US assistant attorney general
“Sitting quietly at computer terminals far away, these cyber criminals allegedly stole tens of millions of dollars from unwitting members of our business, non-profit, governmental, and religious communities.
“Each and every one of these computer intrusions was, effectively, a cyber-enabled bank robbery. We take such crimes extremely seriously and will do everything in our power to hold these criminals to justice.”
The losses incurred through the activities of Yakubets’ group – known as Evil Corp – totalled hundreds of millions of pounds in both the UK, the US, and other countries.
Additional investigations in the UK targeted a network of money launderers who funnelled profits back to Evil Corp, for which eight people have already gone to prison. Other intelligence supplied through UK law enforcement has helped support sanctions brought against the group by the US Treasury’s Office of Foreign Asset Control.
The NCA described the operation as a sophisticated and technically skilled one, which represented one of the most significant cyber crime threats ever faced in the UK.
Lynne Owens, NCA director general, said: “The significance of this group of cyber criminals is hard to overstate; they have been responsible for campaigns targeting our financial structures with multiple strains of malware over the last decade. We are unlikely to ever know the full cost, but the impact on the UK alone is assessed to run into the hundreds of millions.”
Lavish lifestyles
Although the two accused men remain in Russia, those behind the investigations said they hoped that unmasking them would cause significant harm to their ability to continue to operate by subjecting them to international scrutiny and making them toxic in the eyes of other cyber criminals. Both are liable to extradition should they attempt to leave Russia.
The US State Department said it had placed a $5m bounty on Yakubets, who splurged some of the stolen cash on a customised Lamborghini supercar with a vanity plate that translates to “thief”. He also blew over a quarter of a million pounds on his own wedding.
“While the harm caused by this group has targeted mainly financial institutions, there is no doubt that their activity has had real-world impacts, defrauding and stealing from victims in the UK and worldwide. The Lamborghini Yakubets drives was someone’s life savings, now emptied from their bank account,” said the NCA’s Owens.
Paul Chichester, director of operations at the National Cyber Security Centre (NCSC), said: “Today’s announcement is the result of a multi-year investigation with our law enforcement and international partners.
“Dridex has been targeting UK victims since at least 2014, compromising and stealing from large organisations, SMEs and the general public.
“Malware is a continuing cyber threat, but we can all reduce our risk of becoming victims to cyber criminals by ensuring our devices are patched, antivirus is turned on and up to date, and files are backed up.”
Mobile banking malware surged in the first half of the year, email scams geared up and attacks on cloud increased, while illicit cryptocurrency miners declined, report reveals.
Thousands of Windows endpoints in the US and Europe have been infected by a new fileless malware campaign in the past few weeks.
