Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/5/2019
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts

Maksim Yakubets and his crew stole tens of millions using Zeus and Dridex, with victims including Bank of America, Key Bank, GenLabs, and United Dairy, DoJ says.

The US State Department in collaboration with the US Department of Justice and the FBI Thursday announced an unprecedented $5 million reward for information leading to the arrest or conviction of a Russian hacker allegedly responsible for stealing tens of millions of dollars from banks and consumers over the past decade.

In a criminal complaint unsealed today in federal court in Lincoln, Nebraska, the US charged Moscow-based Maksim Yakubets, 32, of running the notorious Zeus banking malware operation since at least 2009. Yakubets and multiple co-conspirators are alleged to have installed Zeus on thousands of business computers and captured information that allowed them to later log into online banking accounts belonging to the victims and initiate fraudulent wire transfers.

Yakubets and other members of his group attempted to steal a staggering $220 million using Zeus and ending up netting at least $70 million from victim bank accounts. Among the numerous organizations that were victimized in the Zeus campaign were Bank of America, Bank of Albuquerque, Key Bank, Bullitt County Fiscal Court, GenLabs, and United Dairy.

Source: FBI
Source: FBI

Federal authorities on Thursday separately also charged Yakubets and another Russian national, Igor Turashev, 38, with stealing and attempting to steal money from online bank accounts belonging to thousands of individuals and businesses using Bugat - aka Dridex - malware.

The Dridex campaign began around 2009, and as with the Zeus scheme, resulted in millions of dollars being siphoned out of the online bank accounts of consumers and businesses. A representative list of victims included at least two banks and four companies. Attacks involving Dridex continued until as recently as March 2019, the DoJ said in a statement announcing the indictment.

"For over a decade, Maksim Yakubets and Igor Turashev led one of the most sophisticated transnational cybercrime syndicates in the world," said US Attorney Scott Brad of Western District of Pennsylvania. The Dridex operation was one of the most widespread malware campaigns the Justice Department has ever encountered, he said.

Yakubets is alleged to have managed the development, distribution, and maintenance of Dridex and also oversaw the actual financial theft and the use of money mules to receive wire transfers and ACH payments. Turashev served as the systems administrator and was in charge of Dridex botnet operations. NPR on Thursday quoted senior Treasury Department officials describing Yakubets as also working separately for Russia's domestic intelligence agency the Federal Security Service (FSB).

"Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide," said Assistant Attorney General Brian Benczkowski. The $5 million reward for his arrest or conviction is the largest ever the US government has offered in connection with a cybercrime.

Tens of Millions in Losses

According to charging documents unsealed this week in connection with both indictments, Yakubets, Turashev, and others involved in the Dridex campaign infected systems by tricking victims into opening malicious attachments or clicking on rogue links in phishing emails. They used the malware to collect usernames and passwords to bank accounts either via keystroke logging or by hijacking computer sessions and directing victims to spoofed bank login pages. The stolen credentials were then used to initiate fraudulent wire transfers to overseas accounts and to an extensive network of money mules in the US.

As one example, the indictment points to an attack in September 2012, where Yakubets and Turashev managed to illicitly transfer some $2.2 million from an online account at Commonwealth Bank belonging to Penneco Oil to an account in Krasnodar, Russia. The same day the duo attempted to steal another $76,000 from Penneco's account at the same bank.

Source: FBI
Source: FBI

Yakubets employed a similar tactic with the Zeus campaign, which was more targeted at businesses than Dridex.

For the moment both individuals remain at large in Russia. While it's highly unlikely the Russian government will willingly extradite the two individuals to face the charges against them, their ability to travel outside Russia likely has been severely curtailed by the indictments. In the past, US law enforcement authorities have been quite successful in arresting and extraditing indicted individuals from countries like Russia who made the mistake of traveling to nations friendly to US interests.

Some notable examples include Vadim Polyakov, a Russian hacker who in 2014 was arrested while vacationing in Spain, and then extradited and subsequently convicted on charges related to an attack on StubHub. Another example is Roman Seleznyov, another Russian hacker currently serving a concurrent 27-year and 14-year sentence for his role in two separate hacking schemes that resulted in over $70 million in losses to US businesses. Seleznyov, was arrested while vacationing in the Maldives and extradited to the US in July 2014, prompting accusations of kidnapping from his father Valery Seleznev, a Russian lawmaker.

"If they are indeed found to reside in Russia, it is likely that they might never be brought to trial in the United States," says Chris Morales, head of security analytics at Vectra. Diplomacy is one possible avenue he says. "The alternative is through the US government finding its own way to bring the defendants to the United States against their will, forcibly."

Fausto Oliveira, principal security architect at Acceptto, says the indictments are a clear warning that the US is committed to prosecuting cybercriminals across borders. It also serves as a reminder for the public that this type of crime is not forgotten, he says.

The $5 million award is significant at as well, Oliveira says. "[It] may tempt some other threat actors or casual connections to denounce them as a way to either take down the competition or obtain some financial gain," he says.

Like Morales, he too fears that the biggest challenges for the DoJ is if the indicted persons remain or have escaped to a territory that does not have an extradition agreement. "In those cases it becomes hard, if not impossible, for the suspects to be brought in front of a judge."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
joshuaprice153
50%
50%
joshuaprice153,
User Rank: Apprentice
12/11/2019 | 12:03:04 AM
US Sets $5 Million Bounty For Russian Hacker
The author evidently took time to compose this entry so that it'll be easier to understand for others. That's really thoughtful of him. But I just wanted to note something: It'd be nice to update themes once in while, you know. car window tinting
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.