NATO Allies Targeted in Suspected Russian-Linked Cyberespionage Campaign

All copyrighted images used with permission of the respective copyright holders.

Evil Corp: Unveiling the Deep Ties Between a Notorious Cybercrime Gang and Russian Intelligence

For over a decade, the international community has grappled with the devastating impact of Evil Corp, a prolific Russian cybercriminal organization responsible for a global crime spree estimated to have netted at least $300 million. However, what sets Evil Corp apart from the multitude of other Russian cybercrime groups is its uniquely close and documented relationship with multiple Russian intelligence agencies. Recently released details from the United Kingdom’s National Crime Agency (NCA), in collaboration with the FBI and Australian Federal Police, shed unprecedented light on the gang’s structure, operations, and alarmingly direct connections to the Russian state. This article delves into the disturbing details of Evil Corp’s history, its sophisticated methods, and its troubling implications for global cybersecurity.

A Multi-faceted Criminal Enterprise:

Evil Corp’s activities extend far beyond the typical ransomware-as-a-service (RaaS) model prevalent in the cybercrime landscape. Initially known for its Dridex malware, which infiltrated thousands of bank accounts worldwide, allowing them to steal vast sums of money, the group subsequently expanded its operations to include ransomware attacks. Early ransomware strains such as Hades and PhoenixLocker paved the way for their later affiliation with the infamous LockBit platform in 2022. This diversification demonstrates a calculated and adaptable criminal strategy, enabling them to maximize their profits across multiple vectors.

The NCA report highlights the unusually hierarchical structure of Evil Corp, contrasting sharply with the often-distributed leadership models seen in other cybercriminal groups. Instead, Evil Corp operates more like a traditional criminal syndicate, centered around the Yakubets family and their close associates. Maksim Yakubets, the alleged leader, is identified as the primary liaison between the group and Russian intelligence agencies. His father, Viktor Yakubets, allegedly possesses a background in money laundering, and other family members, including his brother Artem, and cousins Kirill and Dmitry Slobodskoy, are also implicated in the group’s activities. The organization even allegedly operated out of physical locations in Moscow, such as the Chianti Café and Scenario Café, further suggesting a level of structured organization rarely seen in other cybercrime groups.

The implicated involvement of Eduard Benderskiy, Maksim Yakubets’ father-in-law, adds another layer of complexity to the group’s structure and connections to the Russian state. Benderskiy, reportedly a former FSB official who served in the secretive ‘Vympel’ unit, is linked to overseas assassinations by Bellingcat. Following the US sanctions and indictments against Evil Corp members in 2019, Benderskiy allegedly played a crucial role in shielding senior members within Russia, highlighting the deep-rooted protection the group enjoys.

The State’s Shadowy Role:

The most alarming aspect of the Evil Corp case is the undeniable evidence of its direct ties to Russian intelligence. The NCA report explicitly states that before 2019, Evil Corp was “tasked” by Russian intelligence services, including the FSB, SVR, and GRU, to carry out espionage operations and cyberattacks targeting unnamed NATO allies. This isn’t a case of loose connections or unintentional collaboration; it’s a deliberate and calculated relationship where a cybercriminal group was actively employed as an arm of the state.

This relationship represents a significant departure from the commonly observed "quid pro quo" arrangement often discussed regarding Russian cybercriminals and the government. While there are many instances of Russian authorities turning a blind eye to cybercriminal activity or even indirectly benefiting from it, Evil Corp’s case depicts a more direct and operational collaboration. The Russian state actively utilized the group’s expertise for its own malicious purposes, blurring the lines between state-sponsored espionage and organized crime.

Evolution and Adaptation:

Despite facing significant setbacks, including the 2019 US sanctions and indictments, and the February 2023 major disruption of LockBit, Evil Corp has demonstrated remarkable resilience and adaptability. Following the sanctions, the group was forced to diversify its tactics, relying more heavily on the LockBit ransomware-as-a-service platform since 2022. While the group denies a direct relationship, the evidence strongly suggests its involvement, with Aleksandr Ryzhenkov, Yakubets’ alleged second-in-command, allegedly overseeing these operations. These tactical shifts highlight Evil Corp’s ability to evolve within the ever-changing cybercrime landscape, constantly seeking new avenues to maximize its illicit profits.

Global Implications and the Fight Ahead:

The case of Evil Corp serves as a stark reminder of the evolving threat posed by cybercriminals and the increasingly complex interplay between cybercrime and state-sponsored activities. The gang’s story underscores a critical vulnerability in the global cybersecurity landscape, representing the troubling evolution of organized crime empowered by state actors. This case also showcases the escalating need for international collaboration in combating transnational cybercrime. The joint efforts of the NCA, FBI, and Australian Federal Police highlight the necessity of shared intelligence and coordinated law enforcement actions to effectively dismantle such sophisticated and well-protected criminal organizations.

The $5 million reward offered by the US Department of State for information leading to the arrest of Maksim Yakubets reflects the severity of the threat posed by Evil Corp and the determination of international law enforcement to bring its members to justice. However, the deep-seated connections between Evil Corp and Russian intelligence agencies pose significant challenges. Prosecuting those involved will require overcoming jurisdictional limitations and navigating the complex political landscape.

The future of cybersecurity hinges on a proactive and multifaceted approach. This requires strengthening international cooperation, enhancing cybersecurity infrastructure, developing more effective attribution techniques, and holding states accountable for their role in enabling or actively participating in cybercriminal activities. The case of Evil Corp stands as a stark warning: Failure to address these challenges will only embolden similar organizations, resulting in increased cyberattacks and far-reaching economic and national security consequences. The ongoing investigation and efforts to dismantle Evil Corp illustrate the formidable battle against sophisticated cybercrime and state sponsorship, emphasizing the need for sustained international commitment and unwavering collaboration.

Article Reference

Sarah Mitchell
Sarah Mitchell
Sarah Mitchell is a versatile journalist with expertise in various fields including science, business, design, and politics. Her comprehensive approach and ability to connect diverse topics make her articles insightful and thought-provoking.