Who is protecting Maksim Yakubets? - Cyber Hack: Evil Corp Ep6, BBC World Service podcast

Cyber Hack: Evil Corp – A Detailed Summary

Key Concepts:

• Evil Corp: A prolific cybercriminal group responsible for significant financial losses globally through malware like Jabber Zeus and Dridex, and ransomware attacks.
• Maksim Yakubets (Aqua): Alleged leader of Evil Corp, currently on the FBI’s Most Wanted list with a $5 million bounty. Increasingly suspected of direct ties to Russian intelligence services.
• WagInt (Wives and Girlfriends Intelligence): Investigative technique used to track Evil Corp members through the social media activity of their families.
• FSB (Federal Security Service): Russia’s primary security agency, alleged to have a tasking relationship with Evil Corp, potentially utilizing them for cyber espionage and attacks.
• State-Sponsored Hacking: The concept of a nation-state utilizing cybercriminals for its own strategic objectives, blurring the lines between criminal activity and national security operations.
• Dridex & Phoenix Locker: Malware variants used by Evil Corp, evolving from banking trojans to sophisticated ransomware.
• Sanctions & Indictments: Legal tools used by the US and UK to disrupt Evil Corp’s operations and target its members financially and legally.

1. The Persistent Threat of Evil Corp & Maksim Yakubets

Will Lyne, Head of Cyber Intelligence at the UK National Crime Agency (NCA), identifies Evil Corp as a “consistent and persistent threat” causing “harm to victims across the UK and around the world.” The central figure is Maksim Yakubets, who has been on the NCA’s radar for a long time. Early observations reveal a disregard for maintaining a low profile, evidenced by photos of him driving luxury vehicles (Lamborghini, Ferrari) in Moscow, even being stopped by police without apparent concern. A $5 million US government bounty has been placed on his head, yet he maintains a degree of notoriety and apparent security, potentially including a security detail.

2. Shifting Investigative Strategies: From Computers to Personal Disruption

Initially, efforts focused on disrupting Evil Corp’s computer infrastructure. However, the strategy has evolved to target Yakubets personally, aiming to “make life harder for him.” This shift acknowledges the difficulty of traditional law enforcement approaches given Yakubets’ location and operational methods. The NCA’s recent dossier, “Evil Corp: Behind the Screens,” represents a culmination of this strategy, detailing alleged connections to Russian intelligence.

3. WagInt: Leveraging Family Connections for Intelligence Gathering

Recognizing the operational security of Evil Corp members, investigators turned to “WagInt” – intelligence gathered from the wives and girlfriends of group members. These individuals were found to extensively document their lives on social media, revealing familial connections within the group and a lavish lifestyle, including vehicles with personalized license plates like “Thief” in Russian.

4. Allegations of Russian Intelligence Ties & State Sponsorship

The NCA dossier alleges a “privileged position” for Evil Corp, extending beyond a typical criminal-state relationship of protection and payoffs. It claims that prior to 2019, Evil Corp was “tasked by Russian intelligence services to conduct cyber attacks and espionage operations against Nato allies.” This claim is based on uncovered links and intelligence, with the NCA expressing “high confidence” in its validity. This raises the critical question: is Evil Corp merely a criminal gang, or a weapon of the Russian state?

5. The 2019 Indictment & Public Naming of Maksim Yakubets

In December 2019, the US and UK publicly indicted Maksim Yakubets, revealing his name after a decade of private investigation. The indictment detailed at least 300 victim organizations in 43 countries, with losses exceeding $100 million. The decision to go public was a complex one, requiring a high level of confidence in the evidence to withstand legal scrutiny. Crucially, the FSB had previously confirmed Yakubets’ identity based on information gleaned from Jabber Zeus chat logs. Evidence used to solidify the case included an email address used to purchase a baby pram and a visa application listing Yakubets as an ex-husband.

6. The Impact of Indictment & Subsequent Activities

Following the indictment, Yakubets reportedly went “dark” for six months. However, Evil Corp re-emerged in 2021 with increased ambition, utilizing a new ransomware variant called Phoenix Locker. A single attack in 2021 resulted in a $40 million ransom payment, reportedly to CNA Financial, marking a significant escalation in their operations.

7. Investigative Efforts in Russia & Family Connections

A BBC investigation in 2021 attempted to locate Yakubets in Moscow, ultimately reaching his father, Viktor. Viktor denied his son’s involvement in cybercrime and claimed the bounty had put his family at risk. The investigation also revealed connections to other family members, including cousin Kirill Slobodskoy, involved in hacking and money laundering. Sanctions were extended to include Yakubets’ father and father-in-law.

8. Eduard Bendersky: The Alleged Protector & FSB Connection

The NCA dossier identifies Eduard Bendersky, Yakubets’ father-in-law, as a key figure providing protection and facilitating connections to Russian intelligence. Bendersky is a former elite soldier with a history in the FSB’s Vympel unit, a secretive counter-terrorism force. Bellingcat’s investigation alleges Bendersky was involved in the 2019 assassination of Zelimkhan Khangoshvili in Berlin, linking his phone records to the assassin, Vadim Krasikov. Krasikov was later exchanged for US prisoners, confirming his FSB affiliation. Bellingcat alleges Bendersky used Vympel-affiliated companies to facilitate the assassination.

9. Colonial Pipeline Attack & the Escalation of Ransomware

The 2021 Colonial Pipeline ransomware attack, while not directly linked to Evil Corp, highlighted the growing threat of ransomware and its potential to disrupt critical infrastructure. The attack prompted a national state of emergency in the US and raised concerns about Russian involvement. President Biden acknowledged the attack originated in Russia but stopped short of labeling it an act of war.

10. The Biden-Putin Summit & Limited Impact

The June 2021 summit between Biden and Putin addressed cybercrime, with Biden presenting Putin with a list of 16 critical infrastructure areas that should be off-limits to attack. While a temporary decrease in attacks was observed, its cause remains uncertain. Reports suggest a limited crackdown on cybercriminals in Russia following the summit, potentially for public relations purposes.

11. Current Status & Future Outlook

Despite the indictments, sanctions, and investigations, Evil Corp remains active. Will Lyne acknowledges their persistence and adaptability. The NCA continues to monitor their activities, recognizing the need for new strategies to disrupt their operations, particularly given their alleged ties to the Russian state. Brian Krebs emphasizes Evil Corp’s ability to “shapeshift” and remain at the forefront of emerging cyber threats.

Conclusion:

The story of Evil Corp is a complex and evolving one, highlighting the challenges of combating sophisticated cybercrime with potential state sponsorship. The investigation reveals a network of individuals, familial connections, and alleged ties to Russian intelligence, raising serious questions about the nature of the threat and the effectiveness of current countermeasures. The case underscores the need for international cooperation, innovative investigative techniques, and a proactive approach to disrupting not only the technical infrastructure of cybercriminal groups but also the personal lives and networks of their leaders.