Cybercrime , Fraud Management & Cybercrime , Ransomware

Evil Corp Protected by Ex-Senior FSB Official, Police Say

UK National Crime Agency Details Kremlin-Cybercrime Connection
Evil Corp Protected by Ex-Senior FSB Official, Police Say
Eduard Bendersky in 2011. (Image: Vesti.ru)

Russian intelligence agencies tasked the notorious Russian-speaking cybercrime syndicate Evil Corp with conducting cyberattacks and cyberespionage operations on behalf of the Russian government, British police said Tuesday.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

The connection between Kremlin operatives and cybercrime extended for years in a relationship nursed by Evil Corp leader Maksim Yakubets, aka Aqua, who has headed the group since its 2014 formation as a purveyor of banking Trojan Dridex.

Amid a flurry of announced arrests, server seizures and indictments against the Russian cybercrime underground announced Tuesday in a coordinated set of announcements timed for the second day of an annual meeting of the International Counter Ransomware Initiative, the U.K. National Crime Agency published a report detailing Evil Corp's work as a Russian state proxy. It includes being tasked by Russian intelligence agencies to hacked members of the NATO strategic alliance, the report states.

Evil Corp has stolen at least $100 million from victims through BitPaymer ransomware, as well as through Dridex, the FBI said. Evil Corp appears to be in part a family affair, counting among its core membership Yakubets' brother Artem, as well as two of their cousins, authorities said.

The U.S. Department of Treasury has held Yakubets under financial sanctions since 2019. The U.S., U.K. and Australia expanded those sanctions Tuesday to Yakubets' father, Viktor Yakubets, and father-in-law, Eduard Benderskiy.

U.K. police say Benderskiy is a former high-ranking official in Russia's principal security agency, the Federal Security Service or FSB.

"Benderskiy was a key enabler of their relationship with the Russian intelligence services who, prior to 2019, tasked Evil Corp to conduct cyberattacks and espionage operations against NATO allies," the NCA said Tuesday.

"Today's sanctions send a clear message to the Kremlin that we will not tolerate Russian cyberattacks - whether from the state itself or from its cybercriminal ecosystem," said U.K. Foreign Secretary David Lammy.

The Kremlin has long turned a blind eye to cybercriminals operating from inside, partially because criminal hackers can become "a pool of potential proxies that can be mobilized at a moment's notice," cybersecurity scholar Tim Maurer wrote in 2018. While many Russian cybercrime groups have ties to the Russian state, Evil Corp's were stronger than most, thanks at least in part due to Benderskiy.

"Benderskiy leveraged his status and contacts to facilitate Evil Corp developing relationships with officials from the Russian intelligence services," the NCA said. After the U.S. named and indicted multiple members of Evil Corp in 2019, "Benderskiy used his extensive influence to protect the group, both by providing senior members with security and by ensuring they were not pursued by Russian internal authorities," it said.

Benderskiy runs a number of private security organizations that carry the name "Vympel," which is the same name as a secretive unit of the KGB - the FSB's predecessor - formed in 1981 to which he previously belonged, according to investigative site Bellingcat.

Vympel's "operational scope included illegal reconnaissance, subversion, kidnappings, freeing hostages, coups d'etat and assassinations of enemies to the state," and Benderskiy has appeared to carry that remit forward by being closely involved in multiple overseas assassinations, Bellingcat reported in 2020.

The 2019 sanctions damaged Evil Corp's brand and income stream, driving the group "to have to rebuild, change tactics and take increased measures to hide their activity from law enforcement, with many members going underground, abandoning online accounts and restricting their movements," the NCA said.

The sanctions helped exacerbate existing tensions in the group, leading to core member Igor Turashev departing in an "acrimonious split" with Yakubets, and going on to develop DoppelPaymer ransomware, the NCA said.

Remaining members of Evil Corp also embraced new types of ransomware, with Yakubets and Ryzhenkov leading development of WastedLocker, while other members ended up developing such strains as Hades, PhoenixLocker, PayloadBIN and Macaw, and often engaging in big-game hunting, referring to taking down bigger targets in pursuit of larger ransoms.

"Their focus narrowed, switching from volume attacks to targeting high-earning organizations," it said. Authorities said Evil Corp also turned to LockBit in 2022 as a way to evade U.S. sanctions against the group and its leadership.

On Tuesday, the U.S. unsealed a seven-count indictment against Russian national Aleksandr Viktorovich Ryzhenkov, aka Lizardking, accusing him of serving as second-in-charge of Evil Corp.

The NCA said that after it infiltrated LockBit's infrastructure in February and began studying seized data, it found Ryzhenkov, under the handle "Beverley," allegedly generated more than 60 LockBit ransomware builds and attempted to extort at least $100 million from victims via ransom demands.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.