A team of Russian hackers branded the world’s “most harmful cyber crime group” has been accused of carrying out malware attacks which targeted Scottish football fans and caused chaos at NHS health boards.
An unprecedented collaboration between the National Crime Agency (NCA), the FBI and the National Cyber Security Centre has exposed the lavish lifestyle of the man allegedly behind Evil Corp, a group that created and deployed malware causing hundreds of millions of pounds of financial damage in the UK.
Maksim Yakubets, 32, has been indicted in the United States in relation to two separate international computer hacking and bank fraud schemes, which employed dozens of people working from the basement of Moscow cafes.
Evil Corp targeted the UK for almost a decade with multiple strains of damaging malware which defrauded and stole money from the bank accounts of members of the public and businesses.
A dedicated NCA team began working in 2014 with multiple partners to investigate one of the group’s core malware strains, Dridex – a banking trojan delivered via malicious email attachments in an attempt to steal account details.
The Scottish Football Association apologised in late 2016 after thousands of members of the Scotland Supporters Club were sent a scam email asking them to click a link and make a payment of £170.
It later emerged hackers infiltrated a third-party database to harvest fans’ email records and then sent the message in an attempt to deliver the malicious Dridex software.
Just months later, health bosses were forced to cancel operations and appointments after 11 of Scotland’s 14 NHS health boards were hit by malware linked to IT attacks around the world.
The incident, which NHS Tayside confirmed affected 10 GP practices and also caused disruption in Fife, saw health boards across the country hit with a new variant of the ransomware Bitpaymer – also known as FriedEx.
The programme encrypts the data it finds on a host computer so it can no longer be accessed and then demands payment for its release. The attack left some medical centres unable to access patient records.
A 2018 investigation by leading security software firm ESET found Bitpaymer is also the work of Dridex authors Evil Corp but was designed to specifically target high profile organisations and companies.
NCA director general Lynne Owens said: “The significance of this group of cyber criminals is hard to overstate; they have been responsible for campaigns targeting our financial structures with multiple strains of malware over the last decade.
“We are unlikely to ever know the full cost but the impact on the UK alone is assessed to run into the hundreds of millions.
“It is our assessment that Maksim Yakubets and Evil Corp – the cyber crime group he controls – represent the most significant cyber crime threat to the UK.”
In 2016, security firm Symantec assessed Dridex was set up to target the customers of nearly 300 different organisations in over 40 countries.
Yakubets – who drives a customised Lamborghini with a personalised number plate that translates to ‘thief’ and uses the online moniker ‘Aqua’ – is now subject to a $5 million US State Department reward, the largest ever offered for a cyber criminal.
If he ever leaves Russia, he will be arrested and extradited to the US.
Fellow Russian Igor Turashev, 38, who is Yakubets’ administrator and controls the Dridex malware, has also been indicted for cyber crime offences. Another operation in 2015 led to the arrest of Andrey Ghinkul, a Dridex distributor known as ‘Smilex’.
Investigations in the UK by the NCA and the Metropolitan Police have targeted Yakubets’ network of money launderers who have funnelled profits back to Evil Corp. Eight people have been sentenced to a total of over 40 years in prison.
Intelligence provided by the NCA has also been used to support sanctions brought by the US Treasury Department’s Office of Foreign Asset Control against Evil Corp, Yakubets, Turashev and 21 associated entities.
As a result of these designations, any property under US jurisdiction held by those subject to sanction has been blocked and US persons are prohibited from engaging in transactions with them.
Cyber security expert warns hackers may have targeted NHS health boards intentionally
A leading cyber security and privacy expert has warned hackers may have intentionally targeted NHS health boards due to their large numbers of employees.
Dr Xavier Bellekens, from Strathclyde University, pointed to techniques used by groups to attempt to gain access to an organisation’s IT system by targeting a significant portion of its users at one time.
He said: “All of these groups create multiple malware. They are spread in the wild so some of the attacks are coordinated and others less so.
“In many cases, they decide their targets consciously. So if the NHS was a target, there would be a reason they were targeted.
“The NHS is a very large body so there are a lot of people who may open an attachment without being aware.”
Dr Bellekens, a former Abertay University lecturer, said organisations in Scotland and throughout the UK have invested heavily in cyber security but may be a particular target because so many individuals speak English as a second language.
“Universities have been targeted by similar schemes in the past,” he said.
“They try to get as many email addresses as possible and they send a bulk email in the hope one of us will click on the link.
“From what I understand, the NHS attack used a bulk email approach as well.”
Dr Bellekens added: “It’s always a game of chasing the next hacker. It’s important we take a stand to stop them.
“Over the years we’ve learned techniques such as ethical hacking – and I would use Abertay University as a good example of that – so businesses can be provided with people who understand the techniques of hackers.
“Through that and organisations attending cyber security training, I think we are far better placed against this kind of thing.
“So in my view, when the FBI and NCA come down on those hackers, they are always making the right step forward.”