A Russian criminal gang secretly conducted cyberattacks and espionage operations against NATO allies on the orders of the Kremlin’s intelligence services, according to the UK’s National Crime Agency.
Evil Corp., which includes a man who gained notoriety for driving a Lamborghini luxury sports car, launched the hacks prior to 2019, the NCA said in statement on Tuesday.
The gang has been accused of using malicious software to extort millions of dollars from hundreds of banks and financial institutions in more than 40 countries. In December 2019, the US government sanctioned Evil Corp. and accused its alleged leader,
Maksim Yakubets, of providing “direct assistance” to the Russian state, including by “acquiring confidential documents.”
The NCA’s statement on Tuesday provides new detail on the work Yakubets and other members allegedly carried out to aid the Kremlin’s geopolitical aims. The exact nature of the hacks against the North Atlantic Treaty Organization allies wasn’t immediately clear.
The gang cultivated close ties with officials from Russia’s main intelligence agencies, the Federal Security Service (FSB), Foreign Intelligence Service (SVR) and a military intelligence agency of the General Staff of the Armed Forces, known as the GRU, according to the NCA. That effort, the NCA alleged, was partly aided by Yakubets’ father-in-law, Eduard Benderskiy, a former high-ranking official of a secretive FSB unit named Vympel, which the investigative outlet Bellingcat has linked to assassination operations. In addition, when the US punished the hackers in 2019, Benderskiy came to their aid - using his FSB connections to protect the hackers from any internal blowback from Russian authorities, according to the NCA.
A spokesperson for Russia’s Embassy in London didn’t respond to requests for comment.
The NCA said that another alleged Evil Corp. leader, Aleksandr Ryzhenkov, also worked with the prolific Russian ransomware group LockBit, where he operated under the pseudonym “Beverley.”
LockBit targeted thousands of companies with its ransomware, which encrypts files on a victim’s computer and demands payment to unlock them. Hackers working for the group, known as affiliates, claimed credit for breaching several major companies, including the US arm of the Industrial and Commercial Bank of China, Boeing Co., and the UK’s national postal service, the Royal Mail.
Beginning in 2022, Evil Corp.’s Ryzhenkov used LockBit’s ransomware to target up to 60 organizations, from whom he tried to extort a total of $100 million, according to the UK authorities.
The NCA’s assessment appears to confirm a June 2022 report from the cybersecurity firm Mandiant, which said that hackers affiliated with Evil Corp. had started working with LockBit. LockBit previously denied a connection to Evil Corp., portraying themselves as common cybercriminals.
LockBit was itself targeted earlier this year by a coalition of Western law enforcement agencies. In February, its website was dismantled, and authorities disclosed the identity of its alleged leader. The NCA said on Tuesday that people linked to LockBit were recently arrested in the UK, France and Spain, where nine servers were also seized. The agency said it is continuing to pursue others connected to the gang.