Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/5/2019
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts

Maksim Yakubets and his crew stole tens of millions using Zeus and Dridex, with victims including Bank of America, Key Bank, GenLabs, and United Dairy, DoJ says.

The US State Department in collaboration with the US Department of Justice and the FBI Thursday announced an unprecedented $5 million reward for information leading to the arrest or conviction of a Russian hacker allegedly responsible for stealing tens of millions of dollars from banks and consumers over the past decade.

In a criminal complaint unsealed today in federal court in Lincoln, Nebraska, the US charged Moscow-based Maksim Yakubets, 32, of running the notorious Zeus banking malware operation since at least 2009. Yakubets and multiple co-conspirators are alleged to have installed Zeus on thousands of business computers and captured information that allowed them to later log into online banking accounts belonging to the victims and initiate fraudulent wire transfers.

Yakubets and other members of his group attempted to steal a staggering $220 million using Zeus and ending up netting at least $70 million from victim bank accounts. Among the numerous organizations that were victimized in the Zeus campaign were Bank of America, Bank of Albuquerque, Key Bank, Bullitt County Fiscal Court, GenLabs, and United Dairy.

Source: FBI
Source: FBI

Federal authorities on Thursday separately also charged Yakubets and another Russian national, Igor Turashev, 38, with stealing and attempting to steal money from online bank accounts belonging to thousands of individuals and businesses using Bugat - aka Dridex - malware.

The Dridex campaign began around 2009, and as with the Zeus scheme, resulted in millions of dollars being siphoned out of the online bank accounts of consumers and businesses. A representative list of victims included at least two banks and four companies. Attacks involving Dridex continued until as recently as March 2019, the DoJ said in a statement announcing the indictment.

"For over a decade, Maksim Yakubets and Igor Turashev led one of the most sophisticated transnational cybercrime syndicates in the world," said US Attorney Scott Brad of Western District of Pennsylvania. The Dridex operation was one of the most widespread malware campaigns the Justice Department has ever encountered, he said.

Yakubets is alleged to have managed the development, distribution, and maintenance of Dridex and also oversaw the actual financial theft and the use of money mules to receive wire transfers and ACH payments. Turashev served as the systems administrator and was in charge of Dridex botnet operations. NPR on Thursday quoted senior Treasury Department officials describing Yakubets as also working separately for Russia's domestic intelligence agency the Federal Security Service (FSB).

"Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide," said Assistant Attorney General Brian Benczkowski. The $5 million reward for his arrest or conviction is the largest ever the US government has offered in connection with a cybercrime.

Tens of Millions in Losses

According to charging documents unsealed this week in connection with both indictments, Yakubets, Turashev, and others involved in the Dridex campaign infected systems by tricking victims into opening malicious attachments or clicking on rogue links in phishing emails. They used the malware to collect usernames and passwords to bank accounts either via keystroke logging or by hijacking computer sessions and directing victims to spoofed bank login pages. The stolen credentials were then used to initiate fraudulent wire transfers to overseas accounts and to an extensive network of money mules in the US.

As one example, the indictment points to an attack in September 2012, where Yakubets and Turashev managed to illicitly transfer some $2.2 million from an online account at Commonwealth Bank belonging to Penneco Oil to an account in Krasnodar, Russia. The same day the duo attempted to steal another $76,000 from Penneco's account at the same bank.

Source: FBI
Source: FBI

Yakubets employed a similar tactic with the Zeus campaign, which was more targeted at businesses than Dridex.

For the moment both individuals remain at large in Russia. While it's highly unlikely the Russian government will willingly extradite the two individuals to face the charges against them, their ability to travel outside Russia likely has been severely curtailed by the indictments. In the past, US law enforcement authorities have been quite successful in arresting and extraditing indicted individuals from countries like Russia who made the mistake of traveling to nations friendly to US interests.

Some notable examples include Vadim Polyakov, a Russian hacker who in 2014 was arrested while vacationing in Spain, and then extradited and subsequently convicted on charges related to an attack on StubHub. Another example is Roman Seleznyov, another Russian hacker currently serving a concurrent 27-year and 14-year sentence for his role in two separate hacking schemes that resulted in over $70 million in losses to US businesses. Seleznyov, was arrested while vacationing in the Maldives and extradited to the US in July 2014, prompting accusations of kidnapping from his father Valery Seleznev, a Russian lawmaker.

"If they are indeed found to reside in Russia, it is likely that they might never be brought to trial in the United States," says Chris Morales, head of security analytics at Vectra. Diplomacy is one possible avenue he says. "The alternative is through the US government finding its own way to bring the defendants to the United States against their will, forcibly."

Fausto Oliveira, principal security architect at Acceptto, says the indictments are a clear warning that the US is committed to prosecuting cybercriminals across borders. It also serves as a reminder for the public that this type of crime is not forgotten, he says.

The $5 million award is significant at as well, Oliveira says. "[It] may tempt some other threat actors or casual connections to denounce them as a way to either take down the competition or obtain some financial gain," he says.

Like Morales, he too fears that the biggest challenges for the DoJ is if the indicted persons remain or have escaped to a territory that does not have an extradition agreement. "In those cases it becomes hard, if not impossible, for the suspects to be brought in front of a judge."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
joshuaprice153
50%
50%
joshuaprice153,
User Rank: Apprentice
12/11/2019 | 12:03:04 AM
US Sets $5 Million Bounty For Russian Hacker
The author evidently took time to compose this entry so that it'll be easier to understand for others. That's really thoughtful of him. But I just wanted to note something: It'd be nice to update themes once in while, you know. car window tinting
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10560
PUBLISHED: 2020-03-30
An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the S...
CVE-2020-5527
PUBLISHED: 2020-03-30
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource co...
CVE-2020-5551
PUBLISHED: 2020-03-30
Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured in the re...
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.