By The Guardian (World News) | Created at 2024-10-01 14:10:14 | Updated at 2024-10-02 06:28:37
16 hours ago
A prolific Russian cybercriminal gang carried out attacks against Nato countries at the behest of state intelligence services and used family links with Russia’s domestic spy agency to protect its members after being targeted by US authorities, according to the UK’s National Crime Agency.
The dramatically named Evil Corp group had an unusually close relationship with the Russian state, said the NCA.
The UK’s most senior law enforcement agency said in a briefing published on Tuesday: “Evil Corp held a privileged position, and the relationship between the Russian state and this cybercriminal group went far beyond the typical state-criminal relationship of protection, payoffs and racketeering.”
The group, which operated out of locations in Moscow including a pair of cafes, carried out cyber-attacks and espionage operations against undisclosed Nato countries before 2019 – alongside its day-to-day criminal activities such as deploying ransomware. However, when the group was put under sanctions and some of its members indicted by the US in 2019 it turned to the father-in-law of Evil Corp’s founder for protection.
The NCA said Eduard Benderskiy, the father-in-law of Evil Corp’s leader, Maksim Yakubets, was a former high-ranking official in a unit of Russia’s domestic spy agency, the FSB, and used his connections to protect the group after the US moved against it.
“Benderskiy used his extensive influence to protect the group, both by providing senior members with security and by ensuring they were not pursued by internal Russian authorities,” said the NCA.
The NCA briefing describes Evil Corp as a family-centred operation akin to a traditional organised crime gang, with Yakubets joined by his father, brother and cousins in the business.
The group’s influence has declined since 2019, when authorities released pictures to illustrate Yakubets’s multimillionaire lifestyle, including a camouflaged Lamborghini and a personalised registration plate that spelled out “thief”.
Evil Corp also split with a key member around this time and since then it has developed new strains of ransomware, a malicious form of software that is used to lock up targets’ computer systems – which can then be decrypted in exchange for a ransom payment, typically demanded in bitcoin.
The NCA said Yakubets’s right-hand man, Aleksandr Ryzhenkov – named by the NCA on Tuesday – had teamed up with fellow Russian gang LockBit to use its malware in ransomware attacks.
after newsletter promotion
LockBit, whose victims include Royal Mail, runs a so-called ransomware-as-a-service operation in which it leases out its software and support functions in exchange for a cut of any proceeds. The NCA said it had determined that Ryzhenkov was a “LockBit affiliate and has been involved in LockBit ransomware attacks against numerous organisations”.
The NCA and other enforcement agencies have since seized LockBit’s website and the infrastructure behind its attacks, severely affecting the group’s activities in an operation revealed in February.
LockBit has claimed more victims since then, but the NCA believes those are attacks on entities that have been hit by LockBit before – or that the gang is lying in an effort to play down the impact of the NCA operation.
