Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/5/2019
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts

Maksim Yakubets and his crew stole tens of millions using Zeus and Dridex, with victims including Bank of America, Key Bank, GenLabs, and United Dairy, DoJ says.

The US State Department in collaboration with the US Department of Justice and the FBI Thursday announced an unprecedented $5 million reward for information leading to the arrest or conviction of a Russian hacker allegedly responsible for stealing tens of millions of dollars from banks and consumers over the past decade.

In a criminal complaint unsealed today in federal court in Lincoln, Nebraska, the US charged Moscow-based Maksim Yakubets, 32, of running the notorious Zeus banking malware operation since at least 2009. Yakubets and multiple co-conspirators are alleged to have installed Zeus on thousands of business computers and captured information that allowed them to later log into online banking accounts belonging to the victims and initiate fraudulent wire transfers.

Yakubets and other members of his group attempted to steal a staggering $220 million using Zeus and ending up netting at least $70 million from victim bank accounts. Among the numerous organizations that were victimized in the Zeus campaign were Bank of America, Bank of Albuquerque, Key Bank, Bullitt County Fiscal Court, GenLabs, and United Dairy.

Source: FBI
Source: FBI

Federal authorities on Thursday separately also charged Yakubets and another Russian national, Igor Turashev, 38, with stealing and attempting to steal money from online bank accounts belonging to thousands of individuals and businesses using Bugat - aka Dridex - malware.

The Dridex campaign began around 2009, and as with the Zeus scheme, resulted in millions of dollars being siphoned out of the online bank accounts of consumers and businesses. A representative list of victims included at least two banks and four companies. Attacks involving Dridex continued until as recently as March 2019, the DoJ said in a statement announcing the indictment.

"For over a decade, Maksim Yakubets and Igor Turashev led one of the most sophisticated transnational cybercrime syndicates in the world," said US Attorney Scott Brad of Western District of Pennsylvania. The Dridex operation was one of the most widespread malware campaigns the Justice Department has ever encountered, he said.

Yakubets is alleged to have managed the development, distribution, and maintenance of Dridex and also oversaw the actual financial theft and the use of money mules to receive wire transfers and ACH payments. Turashev served as the systems administrator and was in charge of Dridex botnet operations. NPR on Thursday quoted senior Treasury Department officials describing Yakubets as also working separately for Russia's domestic intelligence agency the Federal Security Service (FSB).

"Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide," said Assistant Attorney General Brian Benczkowski. The $5 million reward for his arrest or conviction is the largest ever the US government has offered in connection with a cybercrime.

Tens of Millions in Losses

According to charging documents unsealed this week in connection with both indictments, Yakubets, Turashev, and others involved in the Dridex campaign infected systems by tricking victims into opening malicious attachments or clicking on rogue links in phishing emails. They used the malware to collect usernames and passwords to bank accounts either via keystroke logging or by hijacking computer sessions and directing victims to spoofed bank login pages. The stolen credentials were then used to initiate fraudulent wire transfers to overseas accounts and to an extensive network of money mules in the US.

As one example, the indictment points to an attack in September 2012, where Yakubets and Turashev managed to illicitly transfer some $2.2 million from an online account at Commonwealth Bank belonging to Penneco Oil to an account in Krasnodar, Russia. The same day the duo attempted to steal another $76,000 from Penneco's account at the same bank.

Source: FBI
Source: FBI

Yakubets employed a similar tactic with the Zeus campaign, which was more targeted at businesses than Dridex.

For the moment both individuals remain at large in Russia. While it's highly unlikely the Russian government will willingly extradite the two individuals to face the charges against them, their ability to travel outside Russia likely has been severely curtailed by the indictments. In the past, US law enforcement authorities have been quite successful in arresting and extraditing indicted individuals from countries like Russia who made the mistake of traveling to nations friendly to US interests.

Some notable examples include Vadim Polyakov, a Russian hacker who in 2014 was arrested while vacationing in Spain, and then extradited and subsequently convicted on charges related to an attack on StubHub. Another example is Roman Seleznyov, another Russian hacker currently serving a concurrent 27-year and 14-year sentence for his role in two separate hacking schemes that resulted in over $70 million in losses to US businesses. Seleznyov, was arrested while vacationing in the Maldives and extradited to the US in July 2014, prompting accusations of kidnapping from his father Valery Seleznev, a Russian lawmaker.

"If they are indeed found to reside in Russia, it is likely that they might never be brought to trial in the United States," says Chris Morales, head of security analytics at Vectra. Diplomacy is one possible avenue he says. "The alternative is through the US government finding its own way to bring the defendants to the United States against their will, forcibly."

Fausto Oliveira, principal security architect at Acceptto, says the indictments are a clear warning that the US is committed to prosecuting cybercriminals across borders. It also serves as a reminder for the public that this type of crime is not forgotten, he says.

The $5 million award is significant at as well, Oliveira says. "[It] may tempt some other threat actors or casual connections to denounce them as a way to either take down the competition or obtain some financial gain," he says.

Like Morales, he too fears that the biggest challenges for the DoJ is if the indicted persons remain or have escaped to a territory that does not have an extradition agreement. "In those cases it becomes hard, if not impossible, for the suspects to be brought in front of a judge."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
joshuaprice153
50%
50%
joshuaprice153,
User Rank: Apprentice
12/11/2019 | 12:03:04 AM
US Sets $5 Million Bounty For Russian Hacker
The author evidently took time to compose this entry so that it'll be easier to understand for others. That's really thoughtful of him. But I just wanted to note something: It'd be nice to update themes once in while, you know. car window tinting
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11494
PUBLISHED: 2020-04-02
An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.
CVE-2020-7619
PUBLISHED: 2020-04-02
get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.
CVE-2020-7620
PUBLISHED: 2020-04-02
pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params.
CVE-2020-7621
PUBLISHED: 2020-04-02
strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the '_nginxCmd()' function.
CVE-2020-7623
PUBLISHED: 2020-04-02
jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument.