Carbon Chemist

Tag: security

  • Man Arrested for Snowflake Hacking Spree Faces US Extradition

    Man Arrested for Snowflake Hacking Spree Faces US Extradition

    [ad_1]

    For much of this summer, a mysterious group of hackers carried out a landmark spree of major data breaches, all targeting customers of the cloud data storage company Snowflake. Now one alleged hacker—whom experts believe to be the ringleader of that group—has been arrested in Canada, and he may be on his way to a US court.

    On Monday, Bloomberg and 404 Media reported that a Canadian man named Alexander Moucka, who also goes by the name Connor Moucka, was detained at the end of October on a provisional arrest warrant. Moucka then appeared in a court hearing today, November 5, as part of extradition proceedings, 404 Media first reported.

    Under the hacker handles Waifu and Judische, Moucka is believed to be a notorious figure in the cybercriminal underground, says Allison Nixon, a security researcher and the chief research officer at security firm Unit 221B, who has long tracked his online activity. She alludes to Moucka’s alleged hacking activity going back years prior to the Snowflake breaches. “I was waiting for this one,” says Nixon. “Waifu was the leader of a group who was responsible for many major intrusions over the last half decade.”

    Suspicious activity linked to Snowflake customer accounts was first spotted in April, according to a June report by Google-owned security company Mandiant, which was employed by Snowflake to jointly investigate the hacking. The first unknown victim’s Snowflake systems had been accessed using login details that were previously taken by infostealer malware, the report says. Over the next couple of chaotic months more than 165 Snowflake customers, according to Mandiant’s report, potentially had data they stored in Snowflake’s systems, exposed or stolen. Hundreds of millions of records from AT&T, Santander, Ticketmaster owner Live Nation Entertainment, and more were accessed in the hacking spree.

    Mandiant’s report in June said that the majority of the compromised Snowflake accounts did not have multi-factor authentication turned on and credentials gathered from infostealer logs—some dating back to 2020—were used to access them. Since the breaches, Snowflake has updated its systems to require multi-factor authentication to be turned on by default.

    A spokesperson for Snowflake tells WIRED it has no comment on the arrest. Ian McLeod, a spokesperson for Canada’s Department of Justice, says Moucka was arrested following a request by the United States. “As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case,” McLeod says.

    [ad_2]

    Source link

  • Inside the Massive Crime Industry That’s Hacking Billion-Dollar Companies

    Inside the Massive Crime Industry That’s Hacking Billion-Dollar Companies

    [ad_1]

    On October 20, a hacker who calls themselves Dark X said they logged in to a server and stole the personal data of 350 million Hot Topic customers. The following day, Dark X listed the data, including alleged emails, addresses, phone numbers, and partial credit card numbers, for sale on an underground forum. The day after that, Dark X said Hot Topic kicked them out.

    Dark X told me that the apparent breach, which is possibly the largest hack of a consumer retailer ever, was partly due to luck. They just happened to get login credentials from a developer who had access to Hot Topic’s crown jewels. To prove it, Dark X sent me the developer’s login credentials for Snowflake, a data warehousing tool that hackers have repeatedly targeted recently. Alon Gal from cybersecurity firm Hudson Rock, which first found the link between infostealers and the Hot Topic breach, said he was sent the same set of credentials by the hacker.

    The luck part is true. But the claimed Hot Topic hack is also the latest breach directly connected to a sprawling underground industry that has made hacking some of the most important companies in the world child’s play.

    AT&T. Ticketmaster. Santander Bank. Neiman Marcus. Electronic Arts. These were not entirely isolated incidents. Instead, they were all hacked thanks to “infostealers,” a type of malware that is designed to pillage passwords and cookies stored in the victim’s browser. In turn, infostealers have given birth to a complex ecosystem that has been allowed to grow in the shadows and where criminals fulfill different roles. There are Russian malware coders continually updating their code; teams of professionals who use glitzy advertising to hire contractors to spread the malware across YouTube, TikTok, or GitHub; and English-speaking teenagers on the other side of the world who then use the harvested credentials to break into corporations. At the end of October, a collaboration of law enforcement agencies announced an operation against two of the world’s most prevalent stealers. But the market has been able to grow and mature so much that now law enforcement action against even one part of it is unlikely to make any lasting dent in the spread of infostealers.

    Based on interviews with malware developers, hackers who use the stolen credentials, and a review of manuals that tell new recruits how to spread the malware, 404 Media has mapped out this industry. Its end result is that a download of an innocent-looking piece of software by a single person can lead to a data breach at a multibillion-dollar company, putting Google and other tech giants in an ever-escalating cat-and-mouse game with the malware developers to keep people and companies safe.

    “We are professionals in our field and will continue to work on bypassing future Google updates,” an administrator for LummaC2, one of the most popular pieces of infostealer malware, told me in an online chat. “It takes some time, but we have all the resources and knowledge to continue the fight against Chrome.”

    The Stealers

    The infostealer ecosystem starts with the malware itself. Dozens of these exist, with names like Nexus, Aurora, META, and Raccoon. The most widespread infostealer at the moment is one called RedLine, according to cybersecurity firm Recorded Future. Having a prepackaged piece of malware also dramatically lowers the barrier to entry for a budding new hacker. The administrator of LummaC2, which Recorded Future says is in the top 10 of infostealers, said it welcomes both beginner and experienced hackers.

    Initially, many of these developers were interested in stealing credentials or keys related to cryptocurrency wallets. Armed with those, hackers could empty a victim’s digital wallets and make a quick buck. Many today still market their tools as being able to steal bitcoin and have even introduced OCR to detect seed phrases in images. But recently those same developers and their associates figured out that all of the other stuff stored in a browser—passwords to the victim’s place of work, for example—could generate a secondary stream of revenue.

    [ad_2]

    Source link

  • Zero-Click Flaw Exposes Potentially Millions of Popular Storage Devices to Attack

    Zero-Click Flaw Exposes Potentially Millions of Popular Storage Devices to Attack

    [ad_1]

    The researchers also said the photo application, which helps users organize photos, provided easy access whether customers connect their NAS device directly to the internet themselves or through Synology’s QuickConnect service, which allows users to access their NAS remotely from anywhere. And once attackers find one cloud-connected Synology NAS, they can easily locate others due to the way the systems get registered and assigned IDs.

    “There are a lot of these devices that are connected to a private cloud through the QuickConnect service, and those are exploitable as well, so even if you don’t directly expose it to the internet, you can exploit [the devices] through this service, and that’s devices in the order of millions,” says Wetzels.

    The researchers were able to identify cloud-connected Synology NASes owned by police departments in the United States and France, as well as a large number of law firms based in the US, Canada, and France, and freight and oil tank operators in Australia and South Korea. They even found ones owned by maintenance contractors in South Korea, Italy, and Canada that work on power grids and in the pharmaceutical and chemical industries.

    “These are firms that store corporate data … management documents, engineering documents and, in the case of law firms, maybe case files,” Wetzels notes.

    The researchers say ransomware and data theft aren’t the only concern with these devices—attackers could also turn infected systems into a botnet to service and conceal other hacking operations, such as a massive botnet that Volt Typhoon hackers from China had built from infected home and office routers to conceal their espionage operations.

    Synology did not respond to a request for comment, but the company’s web site posted two security advisories related to the issue on October 25, calling the vulnerability “critical.” The advisories, which confirmed that the vulnerability was discovered as part of the Pwn2Own contest, indicate that the company released patches for the vulnerability. Synology’s NAS devices do not have automatic update capability, however, and it’s not clear how many customers know about the patch and have applied it. With the patch released, it also makes it easier for attackers to now figure out the vulnerability from the patch and design an exploit to target devices.

    “It’s not trivial to find [the vulnerability] on your own, independently,” Meijer tells WIRED, “but it is pretty easy to figure out and connect the dots when the patch is actually released and you reverse-engineer the patch.”

    [ad_2]

    Source link

  • Spies can eavesdrop on phone calls by sensing vibrations with radar

    Spies can eavesdrop on phone calls by sensing vibrations with radar

    [ad_1]

    An off-the-shelf millimetre wave sensor can pick out the tiny vibrations made by a smartphone’s speaker, enabling an AI model to transcribe the conversation, even at a distance in a noisy room

    [ad_2]

    Source link

  • Inside Sophos’ 5-Year War With the Chinese Hackers Hijacking Its Devices

    Inside Sophos’ 5-Year War With the Chinese Hackers Hijacking Its Devices

    [ad_1]

    For years, it’s been an inconvenient truth within the cybersecurity industry that the network security devices sold to protect customers from spies and cybercriminals are, themselves, often the machines those intruders hack to gain access to their targets. Again and again, vulnerabilities in “perimeter” devices like firewalls and VPN appliances have become footholds for sophisticated hackers trying to break into the very systems those appliances were designed to safeguard.

    Now one cybersecurity vendor is revealing how intensely—and for how long—it has battled with one group of hackers that have sought to exploit its products to their own advantage. For more than five years, the UK cybersecurity firm Sophos engaged in a cat-and-mouse game with one loosely connected team of adversaries who targeted its firewalls. The company went so far as to track down and monitor the specific devices on which the hackers were testing their intrusion techniques, surveil the hackers at work, and ultimately trace that focused, years-long exploitation effort to a single network of vulnerability researchers in Chengdu, China.

    On Thursday, Sophos chronicled that half-decade-long war with those Chinese hackers in a report that details its escalating tit-for-tat. The company went as far as discreetly installing its own “implants” on the Chinese hackers’ Sophos devices to monitor and preempt their attempts at exploiting its firewalls. Sophos researchers even eventually obtained from the hackers’ test machines a specimen of “bootkit” malware designed to hide undetectably in the firewalls’ low-level code used to boot up the devices, a trick that has never been seen in the wild.

    In the process, Sophos analysts identified a series of hacking campaigns that had started with indiscriminate mass exploitation of its products but eventually became more stealthy and targeted, hitting nuclear energy suppliers and regulators, military targets including a military hospital, telecoms, government and intelligence agencies, and the airport of one national capital. While most of the targets—which Sophos declined to identify in greater detail—were in South and Southeast Asia, a smaller number were in Europe, the Middle East, and the United States.

    Sophos’ report ties those multiple hacking campaigns—with varying levels of confidence—to Chinese state-sponsored hacking groups including those known as APT41, APT31, and Volt Typhoon, the latter of which is a particularly aggressive team that has sought the ability to disrupt critical infrastructure in the US, including power grids. But the common thread throughout those efforts to hack Sophos’ devices, the company says, is not one of those previously identified hackers groups but instead a broader network of researchers that appears to have developed hacking techniques and supplied them to the Chinese government. Sophos’ analysts tie that exploit development to an academic institute and a contractor, both around Chengdu: Sichuan Silence Information Technology—a firm previously tied by Meta to Chinese state-run disinformation efforts—and the University of Electronic Science and Technology of China.

    Sophos says it’s telling that story now not just to share a glimpse of China’s pipeline of hacking research and development, but also to break the cybersecurity industry’s awkward silence around the larger issue of vulnerabilities in security appliances serving as entry points for hackers. In just the past year, for instance, flaws in security products from other vendors including Avanti, Fortinet, Cisco, and Palo Alto have all been exploited in mass hacking or targeted intrusion campaigns. “This is becoming a bit of an open secret. People understand this is happening, but unfortunately everyone is zip,” says Sophos chief information security officer Ross McKerchar, miming pulling a zipper across his lips. “We’re taking a different approach, trying to be very transparent, to address this head-on and meet our adversary on the battlefield.”

    From One Hacked Display to Waves of Mass Intrusion

    As Sophos tells it, the company’s long-running battle with the Chinese hackers began in 2018 with a breach of Sophos itself. The company discovered a malware infection on a computer running a display screen in the Ahmedabad office of its India-based subsidiary Cyberoam. The malware had gotten Sophos’ attention due to its noisy scanning of the network. But when the company’s analysts looked more closely, they found that the hackers behind it had already compromised other machines on the Cyberoam network with a more sophisticated rootkit they identified as CloudSnooper. In retrospect, the company believes that initial intrusion was designed to gain intelligence about Sophos products that would enable follow-on attacks on its customers.

    Then in the spring of 2020, Sophos began to learn about a broad campaign of indiscriminate infections of tens of thousands of firewalls around the world in an apparent attempt to install a trojan called Asnarök and create what it calls “operational relay boxes” or ORBs—essentially a botnet of compromised machines the hackers could use as launching points for other operations. The campaign was surprisingly well-resourced, exploiting multiple zero-day vulnerabilities the hackers appeared to have discovered in Sophos appliances. Only a bug in the malware’s cleanup attempts on a small fraction of the affected machines allowed Sophos to analyze the intrusions and begin to study the hackers targeting its products.

    [ad_2]

    Source link

  • The Untold Story of Trump’s Failed Attempt to Overthrow Venezuela’s President

    The Untold Story of Trump’s Failed Attempt to Overthrow Venezuela’s President

    [ad_1]

    On September 26, 2018, Venezuelan president Nicolás Maduro approached the lectern at the United Nations General Assembly in New York City. Hulking and mustachioed, wearing a black suit and a bright red tie, Maduro was in a bilious mood.

    At home, Maduro’s political position was deteriorating. The former bus driver turned autocrat had ruled Venezuela for five years, and had recently “won” reelection in a contest widely considered to be fraudulent. But he was facing stiffer-than-expected pushback. Anti-government protests were wracking the oil-rich South American nation. Hyperinflation was obliterating its economy. More than a million Venezuelans had fled, triggering a hemispheric refugee crisis.

    For some time, the Trump administration had been working furiously to push Maduro—an ally of Cuba and Russia—out of power. In fact, then-president Donald Trump had even mused publicly about exercising “a possible military option, if necessary,” to deal with Venezuela. The day before Maduro’s General Assembly address, Trump stood at the same UN podium, called the situation in Venezuela a “human tragedy,” and decried the “suffering, corruption, and decay” wrought by communist and socialist regimes. The US president then announced the imposition of new sanctions against members of Maduro’s inner circle.

    When Maduro began his UN address, he was raring to punch back. His country was the “victim of a permanent aggression” by the “imperial” United States, he said. Venezuela’s attempt at geopolitical independence—and huge gold and petroleum reserves—had aroused the ire and avarice of the “oligarchies of the continent and those who dominate from Washington,” he added.

    Maduro’s harangue got darker. He claimed that a recent attempt on his life—two drones had exploded during an address he was giving outdoors in Caracas—had been masterminded by shadowy actors from within the United States. (Trump administration officials publicly denied any role in the drone attack and a dissident member of the Venezuelan army later claimed responsibility.) In recent days, Maduro had even said he was considering skipping the UN meeting altogether, because he was worried about an assassination attempt.

    As bitter adversaries, the Trump administration and Maduro regime didn’t agree on, well, anything. Except for the fact that the US government wanted Maduro gone.

    After that UN meeting, the Trump administration amped up its efforts around the world to isolate and depose the Venezuelan leader, including by levying additional punishing sanctions against his regime. Much of that diplomatic maneuvering played out in public. But the administration also put into motion another, very much secret prong to the US’s regime-change campaign: a covert CIA-run initiative to help overthrow the Venezuelan strongman.

    [ad_2]

    Source link

  • ‘We’re a Fortress Now’: The Militarization of US Elections Is Here

    ‘We’re a Fortress Now’: The Militarization of US Elections Is Here

    [ad_1]

    Drones, snipers, razor wire, sniffer dogs, body armor, bulletproof glass, and 24-hour armed security.

    This is not a list of protections in place for a visit by the president of the United States nor the contents of a shipment to frontline troops fighting in Ukraine. This is a list of the security measures election officials in counties across the US have had to implement ahead of Tuesday’s vote as a result of the unprecedented threats they have faced in recent years.

    Officials are putting in place the typical final measures to ensure the smooth operation of an election, but beyond checking that they have enough ballots and that machines are working properly, officials are now faced with having to monitor for threats and make sure they have done everything they can to protect themselves and their staff.

    “Given the current political environment, the possibility that an event may occur has increased and our election professionals have responded in kind,” says Tammy Patrick, a former election official in Arizona’s Maricopa County who’s now a senior advisor at the nonprofit Bolstering Elections Initiative. “Efforts focusing on the physical security of the voters, election workers, and staff by putting in bulletproof glass, panic buttons, razor wire and fencing are fairly common, as is the installation of surveillance cameras and systems, cyber protections, and training on de-escalation techniques and response drills.”

    Nowhere in the US is the militarization of the election process more evident than in Maricopa County.

    The county, which is the fourth largest county in the nation, became ground zero for election denial conspiracists in recent years, after GOP lawmakers sanctioned a bogus recount in 2021, run by the Florida company Cyber Ninjas.

    As a result, Maricopa has for years been putting increased security measures in place. “We’re a fortress now,” Stephen Richer, the Maricopa County Recorder, told WIRED back in February, outlining how he had to navigate security fencing, metal detectors, and security checks in order to get into his office.

    As the 2024 election approaches, the measures Maricopa officials are putting in place have been ratcheted up significantly.

    Officials have now added a second layer of security fencing to protect election offices as well as concrete k-rails, which means election workers will be bussed in from off-site locations due to reduced parking spaces. At the country’s tabulation center, every door will be fitted with metal detectors, floodlights will be installed, and on election day, the center will be protected by a ring of snipers deployed on roofs around the building, election officials told NBC.

    [ad_2]

    Source link

  • Chinese Hackers Target Trump Campaign via Verizon Breach

    Chinese Hackers Target Trump Campaign via Verizon Breach

    [ad_1]

    The Chinese spy operation adds to the growing sense of a melee of foreign digital interference in the election, which has already included Iranian hackers’ attempt to hack and leak emails from the Trump campaign—with limited success—and Russia-linked disinformation efforts across social media.

    Ahead of the full launch next week of Apple’s AI platform, Apple Intelligence, the company debuted tools this week for security researchers to evaluate its cloud infrastructure known as Private Cloud Compute. Apple has gone to great lengths to engineer a secure and private AI cloud platform, and this week’s release includes extensive detailed technical documentation of its security features as well as a research environment that is already available in the macOS Sequoia 15.1 beta release. The testing features allow researchers (or anyone) to download and evaluate the actual version of PCC software that Apple is running in the cloud at a given time. The company tells WIRED that the only modifications to the software relate to optimizing it to run in the virtual machine for the research environment. Apple also released the PCC source code and said that as part of its bug bounty program, vulnerabilities that researchers discover in PCC will be eligible for a maximum bounty payout of up to $1 million.

    Over the summer, Politico, The New York Times, and The Washington Post each revealed that they’d been approached by a source offering hacked Trump campaign emails—a source whom the US Justice Department says was working on behalf of the Iranian government. The news outlets all refused to publish or report on those stolen materials. Now it appears that Iran’s hackers did eventually find outlets outside the mainstream media that were willing to release those emails. American Muckrakers, a PAC run by a Democratic operative, did publish the documents after soliciting them in a public post on X, writing, “Send it to us and we’ll get it out.”

    American Muckrakers then published internal Trump campaign communications about North Carolina Republican gubernatorial candidate Mark Robinson and Florida Republican representative Anna Paulina Luna, as well as material that seemed to suggest a financial arrangement between Donald Trump and Robert F. Kennedy Jr., the third-party candidate who dropped out of the race and endorsed Trump. Independent journalist Ken Klippenstein also received and published some of the hacked material, including a research profile on Trump running mate and US senator JD Vance that the campaign assembled when assessing him for the role. Klippenstein subsequently received a visit from the FBI, he’s said, warning him that the documents were shared as part of a foreign influence campaign. Klippenstein has defended his position, arguing that the media should not serve as “gatekeeper of what the public should know.”

    As Russia has both waged war and cyberwar against Ukraine, it’s also carried out a vast campaign of hacking against another neighbor to the west with whom it’s long had a fraught relationship: Georgia. Bloomberg this week revealed ahead of the Georgian election how Russia systematically penetrated the smaller country’s infrastructure and government in a yearslong series of digital intrusion operations. From 2017 to 2020, for instance, Russia’s military intelligence agency, the GRU, hacked Georgia’s Central Election Commission (just as it did in Ukraine in 2014), multiple media organizations, and IT systems at the country’s national railway company—all in addition to the attack on Georgian TV stations that the NSA pinned on the GRU’s Sandworm unit in 2020. Meanwhile, hackers known as Turla, working for the Kremlin’s KGB successor, the FSB, broke into Georgia’s Foreign Ministry and stole gigabytes of officials’ emails over months. According to Bloomberg, Russia’s hacking efforts weren’t limited to espionage but also appeared to include preparing for disruption of Georgian infrastructure like the electric grid and oil companies in the event of an escalating conflict.

    For years, cybersecurity professionals have argued about what constitutes a cyberattack. An intrusion designed to destroy data, cause disruption, or sabotage infrastructure? Yes, that’s a cyberattack. A hacker breach to steal data? No. A hack-and-leak operation or an espionage mission with a disruptive clean-up phase? Probably not, but there’s room for debate. The Jerusalem Post this week, however, achieved perhaps the clearest-cut example of calling something a cyberattack—in a headline no less—that is very clearly not: disinformation on social media. The so-called “Hezbollah cyberattack” that the news outlet reported was a collection of photos of Israeli hospitals posted by “hackers” identifying as Hezbollah supporters that suggested weapons and cash were stored underneath them and that they should be attacked. The posts seemingly came in response to the Israeli Defense Forces’ repeating similar claims about hospitals in Gaza that the IDF has bombed, as well as another more recently in Lebanon’s capital city of Beirut.

    “These are NOT CYBERATTACKS,” security researcher Lukasz Olejnik, the author of the books The Philosophy of Cybersecurity and Propaganda, wrote next to a screenshot of the Jerusalem Post headline on X. “Posting images to social media is not hacking. Such a bad take.”

    [ad_2]

    Source link

  • ICE Signs $2 Million Contract With Spyware Maker Paragon Solutions

    ICE Signs $2 Million Contract With Spyware Maker Paragon Solutions

    [ad_1]

    Paragon was founded in 2019 by veterans from the Israel Defense Forces’ powerful intelligence Unit 8200 with the active involvement of former Israeli prime minister Ehud Barak as an investor who is estimated to own a sizable slice of the company.

    The company has received investment from the Boston-headquartered Battery Ventures, “considered to be one of the world’s top venture capital firms,” and two of its founders formerly worked for Blumberg Capital, another large US venture capital firm.

    Israeli media reported in June that a US private equity fund with a portfolio of security companies has been in talks to acquire control of Paragon, estimating its valuation at $1 billion.

    To secure its unique US-approved, “ethical” positioning, Paragon has made “deliberate efforts” since its establishment to break into the US market, notes the Atlantic Council.

    In 2019, as Paragon was developing Graphite, the company enlisted WestExec Advisors, a prominent Washington, DC, consulting firm cofounded by former Obama administration officials, including current US secretary of state Antony Blinken, to advise on its “strategic approach to the US and European markets,” a company executive told the Financial Times. Avril Haines, a former WestExec staffer, is now the US director of national intelligence.

    To remain in the US government’s “good graces,” Paragon in February 2023 hired another DC-based lobbying firm, Holland & Knight, “with a good track record in avoiding sanctions,” as some reports point out. Lobbying expenditure disclosure reveals a spend of a minimum $280,000 in 2023 and 2024 for this campaign.

    The fact that the spyware vendor has neither been placed on an entity list nor have any of its executives been sanctioned by the Biden administration suggests that Paragon’s lobbying efforts have been successful.

    In addition, Biden’s executive order leaves enough margin for the deployment of tools like Graphite. When a senior US administration official was asked specifically about potential abuses of Paragon’s flagship product, they said that the executive order “requires the heads of agencies to review any activity that might be relevant,” without excluding the possibility of lawful use.

    Meanwhile, the company continues to grow and is advertising several roles in Israel. In the US, Paragon boosted its presence in the wake of the signing of the executive order and started hiring intelligence veterans, including former CIA and FBI officers at its subsidiary, “hoping it would pick up new business.” Fresh reports from February 2024 confirmed the steady growth.

    Paragon’s $2 million contract with ICE is tangible proof that the company’s approach is paying off. It remains to be seen whether Graphite’s deployment will align with the protection of human rights, privacy, and democracy.

    [ad_2]

    Source link

  • Notorious Evil Corp Hackers Targeted NATO Allies for Russian Intelligence

    Notorious Evil Corp Hackers Targeted NATO Allies for Russian Intelligence

    [ad_1]

    International law enforcement has worked for years to disrupt the cybercriminal gang Evil Corp and its egregious global crime spree. But in a crowded field of prolific Russian cybercriminals, Evil Corp is most notable for its singular relationship with Russian intelligence.

    On Tuesday, the United Kingdom’s National Crime Agency released new details about the real world identities of alleged Evil Corp members, the group’s connection to the LockBit platform, and the gang’s ties to the Russian state. Researchers have increasingly established that there are loose, quid pro quo connections between Russian cybercriminals and the country’s government. But NCA officials emphasize that Evil Corp is an unusual example of a gang that has direct relationships with multiple Russian intelligence agencies—including Russia’s Federal Security Service, or FSB; Foreign Intelligence Service, or SVR; and military intelligence agency known as the GRU. And the NCA reports that before 2019, Evil Corp was specifically “tasked” by Russia’s intelligence services with conducting espionage operations and cyberattacks against unidentified “NATO allies.”

    For more than a decade, Evil Corp has used its Dridex malware and other hacking tools to compromise thousands of bank accounts around the world and steal funds. In 2017, the group expanded into ransomware, using strains like Hades and PhoenixLocker, and then using the LockBit platform as an affiliate beginning in 2022. The group has extorted at least $300 million from victims on tops of its other spoils, and the United States Department of State is offering a $5 million reward for information leading to the arrest of the gang’s alleged leader, Maksim Yakubets.

    “Evil Corp’s story is a prime example of the evolving threat posed by cybercriminals and ransomware operators,” the NCA wrote on Tuesday in a joint report with the FBI and Australian Federal Police. “In their case, the activities of the Russian state played a particularly significant role, sometimes even co-opting this cybercrime group for its own malicious cyber activity.”

    Unlike many Russian cybercrime groups that have evolved a distributed leadership structure online, NCA officials say that Evil Corp is organized like a more traditional crime syndicate around Yakubets’ family and friends. His father, Viktor Yakubets, allegedly has a background in money laundering, and Maksim’s brother Artem, along with cousins Kirill and Dmitry Slobodskoy, are all allegedly involved with the group. Officials also allege that the group has operated out of physical locations, including Chianti Café and Scenario Café in Moscow.

    Officials say that Maksim Yakubets has always been the primary liaison between Evil Corp and Russian intelligence. But other members, including his father-in-law, Eduard Benderskiy, also allegedly contribute to the relationships. Benderskiy is reportedly a former FSB official who worked in the mysterious ‘Vympel’ unit and, according to Bellingcat, may have been involved in a series of overseas assassinations. NCA officials say that after the US’s 2019 sanctions and indictments against Evil Corp members, Benderskiy worked to protect the gang’s senior members within Russia.

    In spite of its longtime dominance, Evil Corp has had to continue evolving to keep making money. While it denies a relationship, the group seemed to have used the notorious ransomware-as-a-service platform LockBit to conduct attacks since 2022. And Yakubets’s alleged second in command, whom NCA officials named on Tuesday as Aleksandr Ryzhenkov, was apparently overseeing this work. After international law enforcement launched a major disruption of LockBit in February, the gang has been operating in a diminished capacity, according to the NCA.

    “Born out of a coalescing of elite cybercriminals, Evil Corp’s sophisticated business model made them one of the most pervasive and persistent cybercrime adversaries to date,” the NCA wrote. “After being hampered by the December 2019 sanctions and indictments, the group have been forced to diversify their tactics as they attempt to continue causing harm whilst adapting to the changing cybercrime ecosystem.”

    [ad_2]

    Source link