The Federal Security Service of Russia stopped the activities of the hacker group REvil, which was engaged in the theft of money using malware.
The operation was carried out in cooperation with the Investigative Department of the Ministry of Internal Affairs throughout Russia. According to the FSB, hackers developed malicious software, organized the theft of money from foreign bank accounts, and cashed them, including by purchasing expensive goods on the Internet.
"The appeal of the competent US authorities served as the basis for the search activities that reported the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies," the FSB said.
The FSB of Russia has established the full composition of the REvil criminal community and the involvement of its members in the illegal turnover of payment funds, documentation of illegal activities has been carried out.
REvil has ceased to exist. According to the FSB, at 25 addresses of the places of residence of 14 members of the organized criminal community, over 426 million rubles ($5.5 million) were seized, including in cryptocurrency, $600 thousand, €500 thousand, as well as computer equipment, crypto wallets used to commit crimes, 20 premium cars purchased with funds obtained by criminal means.
"As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community has ceased to exist, the information infrastructure used for criminal purposes has been neutralized. Representatives of the competent US authorities have been informed about the results of the operation," the FSB reported.
The REvil group is considered one of the most active hacker groups in the world. It has committed several major attacks, including against Apple and the Texas government.
It is worth noting that in the summer of 2021, according to The New York Times, after a conversation about REvil, which took place between US President Joe Biden and Russian leader Vladimir Putin at a summit in Switzerland, hackers disappeared from the darknet. Then the American president called on the Russian Federation to take measures to suppress the activities of cyber criminals operating on its territory.
Cyber specialists of the Security Service of Ukraine, together with the cyber police and American and British partners, conducted a large-scale special operation to eliminate a powerful hacker service.
According to the intelligence service, the defendants committed hacker attacks on foreign companies, as well as provided paid services to change IP addresses for other hackers. According to preliminary estimates, the group has earned more than $1 million during its activity.
"Unlike the "usual" VPN services that can be legally bought and used by everyone, the services of the attackers had a much broader functionality. In particular, they allowed computer viruses, spyware, and other malicious programs to be loaded directly through the platform. That is, it was a purely "gangster" service created by intruders for intruders and not controlled by any government or law enforcement agencies," the SBU explained.
During the investigation, it turned out that the service was organized by citizens of Ukraine, including those wanted by foreign law enforcement agencies. They administered the work of the service from home personal computers, and to avoid responsibility they hid under different nicknames on the Darknet network.
It should be noted that the services were popular among members of international hacker groups who regularly hacked into the systems of government and commercial institutions to collect confidential information; distributed ransomware viruses that encrypt information available on a PC and demand a ransom from the user; carried out DDoS attacks to paralyze the operation of systems.
According to the SBU, in order to legalize the funds received from such activities, the attackers carried out complex financial transactions using a number of online services, including those banned in Ukraine.
During the searches conducted at the place of actual residence of the defendants and in their cars, mobile phones, computer equipment, and other material evidence of illegal activity were found and seized. Hackers face up to 15 years in prison.
According to Bloomberg sources in the Russian and American security and intelligence agencies, Klyushin is a Kremlin insider and even a year and a half ago received a state award from Putin, the Order of Honor.
They added that Klyushin has access to documents that relate to the Russian campaign to hack the servers of the Democratic Party during the US elections in 2016. According to them, these documents confirm that the hacking was carried out by a group of hackers from the GRU, which is known under the names Fancy Bear and APT28. In addition, some sources expressed the opinion that Klyushin has access to secret records of other high-ranking GRU operations abroad. All this can make Klyushin a useful source of information for the US authorities, especially if he asks the court for leniency.
Another argument that Klyushin has this valuable information for the U.S. is that his subordinate at M13 was former ex-GRU operative Ivan Yermakov. In 2018, he was one of the defendants accused of hacking into the computer systems of the Democratic Party.
Recall that on December 19, Switzerland extradited Klyushin to the United States. He is suspected of illegal trading in securities worth tens of millions of dollars. Klyushin is the head of the M13 company, which has developed the Katyusha media monitoring system for the Ministry of Defense and the Presidential Administration.
In 2017, The Insider managed to prove that the Fancy Bear group consists of employees of the military unit 26165 GRU. A year later, this data was confirmed by the US Department of Justice, officially bringing charges against a group of hackers. The most famous operation APT28 was the hacking of the servers of the Democratic Party in 2016, designed to help Donald Trump defeat Hillary Clinton in the presidential election.
The RedLine malware attacks browsers based on the Chromium engine — Chrome, Edge, Yandex.Browser and Opera, as well as on the basis of the Gecko engine - Mozilla Firefox and Netscape. RedLine steals saved passwords, bank card data, information about cryptocurrency wallets, cookies, system information, and other information from browsers.
Further, experiments showed that the program collects any sensitive information stored in browsers, and in addition allows you to control the computers of victims via the SOAP remote access protocol and hypothetically create botnets from them. The problem affects not only companies but also ordinary users.
The RedLine program appeared on the Russian darknet in February 2020. The announcement of its sale was posted by a Russian-speaking user with the nickname REDGlade.
The AhnLab ASEC report calls RedLine a serious cyber threat. ASEC discovered the program in 2021 when they were investigating the hacking of the network of an unnamed company. It turned out that access was carried out through a VPN service from an employee's computer infected with RedLine.
Attackers sell malware on the darknet and telegram for an average of $150-200. RedLine is distributed using phishing mailings with attached files in the format .doc, .xls, .rar, .exe. It is also uploaded to domains that disguise themselves as an online casino or, for example, the website of the Krupskaya Confectionery Factory.
It is worth noting that in December 2021, RedLine became the most popular program used in cyber attacks. Since the beginning of the month, more than 22 thousand attacks have been carried out with the help of RedLine.
Experts urged not to store credentials in browsers, suggesting instead to use a password manager and enable two-factor authentication wherever possible.
Google has filed lawsuits against two Russians - Dmitry Starovikov and Alexander Filippov. According to the company, they are behind the activities of a botnet called Glupteba.
The corporation claims that Glupteba has infected more than a million Windows devices worldwide, the increase in infections can be "thousands" daily. The botnet was used to steal Google user account data. Most often, the infection occurred after users downloaded free applications from unauthorized sources.
In addition to stealing and using other people's data, Glupteba was aimed at covert mining of cryptocurrencies and redirecting other people's traffic through infected computers and routers. Using this method, illegal traffic can also be redirected to other people's devices.
Google notes the sophisticated technical complexity of Glupteba. It uses a blockchain, the decentralized nature of which allows it to effectively protect itself from work disruptions. For the company, this is the first case of fighting a botnet on the blockchain.
The main infrastructure of the botnet is now neutralized. Those who managed the network from infected devices no longer have access to it. However, the company notes that this statement is valid only at the moment.
Google assumes that it was Starovikov and Filippov who managed Glupteba, relying on data in their Gmail accounts and Google Workspace office applications. The company insists on reimbursing them for damage, as well as a lifetime ban on their use of Google services.
According to experts, this could create a positive precedent. If the Russians really manage to be punished significantly, this will significantly weaken the community as an attacker in cyberspace. At a minimum, the hackers' sense of impunity will disappear. You can read about how Google representatives tracked hackers on the company's official website.
At least four companies suspected of money laundering and allegedly linked to ransomware hackers are based in the 97-storey Tower East of the Federation Complex in the Moscow City Business Center.
According to the agency, we are talking about the companies Suex OTC, EggChange, CashBank and Buy-bitcoin.pro.
Suex OTC is under US sanctions for helping cyber extortionists launder money. According to the research company Chainalysis, since 2018 Suex has processed at least $160 million in bitcoins from illegal and high-risk sources.
The largest shareholder of Suex at the time of the sanctions, Egor Petukhovsky, denied the involvement of his business in money laundering by hackers in October and announced that he would defend his position in an American court.
According to three Bloomberg sources, the US and Europe are also investigating EggChange on charges of money laundering. The world's largest cryptocurrency trading platform Binance said it also noticed “illegal flows” of funds going through EggChange and CashBank.
Chainalysis claims that the company Buy-bitcoin.pro, whose headquarters are also located in the Tower Federation-East, processed hundreds of thousands of dollars of funds from ransomware and other illegal operators, including Russia's largest darknet drug market Hydra.
Bloomberg writes that at least 50 companies converting cryptocurrency into cash are registered in Moscow City Tower. Cybersecurity and cryptocurrency experts consider Moscow City Tower to be one of the most influential points in the world of cryptocurrency cashing. Experts added that such operations are not illegal, but without serious supervision, such a business can help hackers to cash out criminal proceeds.
Stanislav Bibik, a partner at Colliers, explained the large concentration of cryptocurrency firms in the Tower Federation-East by the fact that this address is trustworthy. “Working there gives the tenant a high status and indicates that he has a solid business,” Bibik said.
The Prosecutor General's Office of the Russian Federation reported that Russia has submitted to the UN the world's first draft convention on countering cybercrime and the criminal use of cryptocurrency.
Recall that last year an interdepartmental working group on combating information crime was established, one of the main tasks of which was to develop a draft of a universal comprehensive international convention on combating the use of information and communication technologies for criminal purposes.
The project has a number of advantages. It takes into account modern challenges and threats in the field of international information security, including the criminal use of cryptocurrency, introduces new elements of crimes committed using information and communication technologies.
It is stressed that Russia was the first country that developed and submitted to the special committee a draft convention to combating information crimes.
"Today cyber attacks are as much a weapon of mass destruction as a tactical nuclear weapon. Infrastructure, from the fuel supply to the water supply, can be stopped in an entire city. The settlement will be paralyzed with zero casualties. Thus, I would call cyberattacks bloodless killers, they do not set themselves the goal of destroying the population but simply teleport this population, in fact, to the Stone Age,” commented on the news the State Duma deputy Ruslan Balbek.
According to him, the Russian draft convention is timely and relevant.
In March, the President of Russia Vladimir Putin announced an increase in the number of crimes in the IT-sphere. He pointed out that over the past six years, the number of such crimes has increased 10 times.
Earlier, E Hacking News was reported that Russia-US summit was held in Geneva on June 16. Summing up the negotiations, Vladimir Putin said that the sides will start consultations on cybersecurity.
One of the most popular fraud schemes involves buying or selling an account in online games. An attacker can offer an account, but after transferring funds for it, the buyer does not get access to it.
Experts advise using specialized platforms for buying and selling an account, which charge a commission of about 10% for their services.
If there is no such platform, but there is a forum dedicated to the game, the expert advises to study the user's account and his rating on the forum as much as possible before selling or buying.
Gamers can also be deceived when buying expensive computer components, for example, video cards. Scammers create copies of popular online stores, in which the cost of components will be declared 2-3 times lower than the market price. The buyer most likely will not be able to return the money.
Another method of fraud is associated with the purchase of expensive goods, such as a game console through a private classifieds service. In this case, the buyer is offered to get an e-wallet on one of the legitimate services. His virtual card is allegedly linked to this account, which is used to make the payment.
The client transfers money to the wallet and informs the seller about it, after which he receives an SMS message with the virtual card data. However, the notification does not come from the service number, but from the phone of the scammers. So, the gamer makes the transfer to scammers and remains without money and the desired product.
Another method of fraud is connected with watching streams of other gamers. Scammers copy the broadcasts of famous players and add banners with ads for easy earnings to the video. By clicking on them, people get to the resources of scammers, where they lose money by providing their bank card details.
According to the expert, the solution to the problem in the game world could be the active development and use of escrow services, as it is used when selling domain names on the Internet.
In January, Andrei Tyurin was sentenced to 12 years in prison for the largest theft of personal data of bank clients in US history. He acted as part of a hacker group and stole data that brought the hackers hundreds of millions of dollars
The Federal Court for the Southern District of New York ordered to pay compensation in the amount of $19.9 million to Russian Andrei Tyurin, who was sentenced in January to 12 years in prison for cybercrimes. This is evidenced by the documents received on Monday in the electronic database of the court.
As follows from these materials, the parties came to an agreement on the amount that Tyurin should provide to individuals and legal entities affected by his actions. According to the agreements approved by the court, Tyurin "will pay compensation in the amount of $19,952,861." The full list of companies and individuals who will receive these funds is not provided in the documents. It is also not specified whether Tyurin has the ability to pay the specified amount.
In early January, Tyurin was sentenced to 144 months in prison. According to Judge Laura Taylor Swain, the Russian was involved in "large-scale criminal activities of a financial nature." According to the investigation, he was involved in cyber attacks on large American companies in order to obtain customer data.
The US prosecutor's office said that Tyurin hacked the data of nearly 140 million customers and stole information from 12 companies. Among them are JPMоrgan Chase Bank, Dow Jones & Co, Fidelity Investments, E-Trade Financial. The authorities called the actions of the Russian the largest theft of data from the bank's clients in the history of the country.
Tyurin was extradited to the United States from Georgia in September 2018. The American authorities charged him with hacking into the computer systems of financial structures, brokerage houses and the media specializing in the publication of economic information. Representatives of the Secret Service claimed that the Russian was involved in "the largest theft of customer data from US financial structures in history." They noted that Tyurin could be sentenced to imprisonment for up to 92 years.
The Russian initially declared his innocence. According to the materials of the court, in September 2019 Tyurin made a deal with the prosecutor's office. He pleaded guilty to several counts. The US Secret Service claimed that Tyurin and his accomplices "embezzled hundreds of millions of dollars."
Tesla CEO Elon Musk commented in Russian on the news that Russian Egor Kryuchkov had pleaded guilty on Twitter on Friday
According to the federal prosecutor's office in the state of Nevada, the verdict of Russian Egor Kryuchkov, who pleaded guilty to conspiracy to hack Tesla's computer network, will be sentenced on May 10.
"A Russian national pleaded guilty in federal court today to conspiracy to travel to the US to hire a Nevada-based employee to install software on the company's computer network," the document said.
It specifies that the Russian "pleaded guilty to one count of intentionally damaging a protected computer, and is scheduled to be sentenced on May 10."
According to the US Department of Justice, the Russian was trying to bribe a Tesla employee for $1 million to install the necessary software. The attackers intended to use the data to blackmail the company by threatening to make the information public. "This was a serious attack," Musk said at the time.
An employee with whom the Russian allegedly tried to negotiate in the summer of 2020 notified his management about this plan. It informed the US FBI.
The US Justice Department reported in August that Kryuchkov had been detained in Los Angeles, California, on charges of conspiracy to intentionally harm a protected computer. Initially, the Russian did not admit his guilt. His relatives and acquaintances said Kryuchkov had nothing to do with the IT industry and had never programmed.
However, on March 18, the US Department of Justice announced that the man had pleaded guilty to one count of deliberately damaging a protected computer.
It is worth noting that Tesla CEO Elon Musk commented in Russian on the news that Russian Egor Kryuchkov had pleaded guilty. Musk published a corresponding entry on Twitter on Friday.
The head of Tesla, following the rules of the pre-reform spelling of the Russian language, wrote the title of the novel by Fyodor Dostoevsky (1821-1881) "Crime and Punishment".
Musk had previously tweeted in Russian on several occasions.
Members of the Egregor group, which provides the service using the Ransomware-as-a-Service (RaaS) model, have been arrested by the Ukrainian police.
The arrest is the result of a joint operation of the French and Ukrainian law enforcement systems. The names of the arrested citizens were not disclosed, but it is known that they provided logistical and financial support for the service.
It is worth noting that this ransomware has been active since the fall of 2020 and works according to the Ransomware-as-a-Service (RaaS) model. That is, the authors of the malware rent it out to other criminals, who are already hacking companies, stealing data, encrypting files, and then demanding a “double ransom” from victims (for decrypting files, as well as for not disclosing the data stolen in the process of hacking).
If the victims pay a ransom, the group that organized the hack keeps most of the funds, and the developers of Egregor receive only a small share. The attackers laundered funds through the Bitcoin cryptocurrency.
Those arrested are suspected, among other things, of providing such financial schemes.
According to Allan Liska, a cybersecurity researcher at Recorded Future, Recorded Future has discovered that the Egregor infrastructure, including the site and the management and control infrastructure, has been offline since at least Friday (February 12).
The French side joined the investigation after the Egregor software was used in attacks on the computer game developer Ubisoft and the logistics organization Gefco in 2020.
Although the Egregor system based on the RaaS model was launched in September 2020, a number of cybersecurity experts believe that the service operators are the well-known cyber ransomware group Maze.
In 2020, cybercriminals used bank cards, the Internet, and a telephone to commit crimes. In particular, during the year, the number of acts involving the use of plastic cards increased by a record 453.1%, reaching 190.2 thousand. In 2019, according to the Ministry, there were only 34.4 thousand.
The Central Bank confirmed an increase in the number and volume of transactions without the consent of bank customers in 2020.
The director of the company Anti-Phishing Sergey Voldokhin confirmed that massive phone fraud, malicious banking applications for smartphones and fake payment system sites have become a real problem in 2020. According to him, with the beginning of the pandemic and the transition to remote work, cyber fraudsters have received new opportunities for attacks. "Judging by the volume of thefts, banks and financial companies were not ready for a large-scale impact on their customers", added he.
According to Sergey Golovanov, a leading expert at Kaspersky Lab, fraud trends are likely to continue in 2021.
"But a significant increase in their number is unlikely, as financial organizations and telecom operators are actively fighting such schemes, and the news agenda has made citizens wary of suspicious calls", noted he.
According to Pavel Utkin, a leading lawyer at Parthenon, the problem of phone fraud with plastic cards will disappear by itself when banks establish control over the personal data of customers.
The banks noted that in order to minimize attacks, they have already implemented comprehensive anti-fraud systems, as well as information campaigns among customers about new types of fraud and methods of countering them.
Earlier, E Hacking News reported that Sberbank is the most targeted organization in Europe by hackers.
Kirill Firsov admitted his guilt in trying to obtain secret information about the clients of a certain company for fraudulent purposes
A hearing on the sentencing of Russian citizen Kirill Firsov, who pleaded guilty in the United States to data theft, will be held on April 12.
As noted, before the announcement of the punishment, the court will be presented with additional materials about the case. Firsov agreed to attend the meeting via videoconference.
Recently, the Russian has reached an agreement with representatives of the prosecutor's office. Firsov pleaded guilty to trying to fraudulently obtain confidential information about the clients of a certain company. He could be sentenced to up to 10 years in prison and ordered to pay a fine of up to $250,000.
The prosecution agreed not to seek the most severe punishment for the Russian. He waived the right to insist on a trial and to challenge the charges in question.
Recall, the US authorities detained Firsov on suspicion of stealing the personal data of California residents for their further sale with the aim of using them in false identity cards. The Prosecutor's Office of the Southern District of California names Firsov the administrator of the platform DEER.IO.
The US authorities claimed that this platform is based in Russia. This resource was allegedly used to sell information stolen by hackers, including personal data and information about bank accounts.
As follows from the materials, the site operated from 2013 to 2020, the income from illegal sales amounted to $17 million.
Firsov said that most of his victims were Russians, but about $1.2 million was earned by selling information about Americans. This fact allowed the FBI to pursue Firsov and detain him upon arrival in the country.
The Russian was arrested on March 7 at the John F. Kennedy Airport, in New York. Three days earlier, the FBI made a "test purchase" on his website, acquiring information about 1,100 gamers for $20 in bitcoins.
FBI officers began checking the JetBrains company. So far, there are no specific accusations, but the special services are investigating whether the products of the above company could be used in the hacking of the American SolarWinds, which is considered the starting point of the global hacker attack.
JetBrains, founded in Prague in 2000, sells customers software that makes it much easier to create applications. For millions of developers, its tools are indispensable: the company now has more than 10 million users in more than 213 countries. In an interview with Forbes, the company's CEO, Maxim Shafirov, said that despite the pandemic, revenue has grown by 10% over the past year, and the company suggests that this year it can reach $400 million. According to a JetBrains representative, the company is worth more than $1 billion.
On Wednesday, The New York Times, Reuters and The Wall Street Journal reported that the investigation does not exclude the possibility of connecting JetBrains with one of the largest acts of cyberespionage in recent times. The publications contained hints that hackers could have hacked JetBrains or one of its products, the TeamCity testing, and code-sharing service, in order to then gain access to the systems of SolarWinds, which used this service.
As a result of the attack, hackers compromised one of the SolarWinds tools and used it to break into the networks of customers, including government departments and major US IT companies. Among the victims of the cyberattack were the US Department of Justice, which announced that 3% of its messages sent through Office 365 were compromised, as well as the US Department of Energy and Treasury, Microsoft, Cisco and other organizations. The US claims that the attacks are linked to Russia. The Kremlin denies any involvement.
It is noted that the reputation of JetBrains can be seriously damaged if it is proved that its employees are involved in compromising the software and its misuse.
The Federal Court of the Southern District of New York sentenced Russian Andrey Tyurin to 12 years in prison for committing a number of cybercrimes. In addition, he was ordered to pay the United States 19 million dollars
The Russian Consulate General in New York is in contact with law enforcement agencies in the United States in the case of the Russian Andrei Tyurin, who was sentenced by the court to 12 years in prison for cybercrime, said the press secretary of the diplomatic mission Alexey Topolsky.
According to him, the conditions of detention of the Russian citizen were difficult in the context of the COVID-19 pandemic. Topolsky recalled that Tyurin contracted the coronavirus in an American prison.
"The Russian Consulate General in New York is monitoring the case of Andrei Tyurin and is in contact with US law enforcement agencies," said Topolsky.
In his last speech, Tyurin said that he sincerely repents for what he did.
According to the judge, Tyurin must reimburse the United States 19 million 214 thousand 956 dollars, this is the profit that he derived from his criminal activities.
By US standards, a 12-year sentence is not the harshest for such a crime, says international lawyer Timur Marchani.
"In the United States, for crimes related to cybersecurity, for crimes that entail hacking the banking system, some of the harshest penalties are provided. Here, the court took into account first of all the hacker's remorse and, most importantly, cooperation with the preliminary investigation authorities and then with the court," said Mr. Marchani.
Recall that the Russian was detained in Georgia at the request of the United States in December 2017. In September 2018, he was extradited to the United States. In September 2019, the Turin pleaded guilty to six counts of the indictment.
According to the investigation, Tyurin participated in a "global hacking campaign" against major financial institutions, brokerage firms, news agencies and other companies, including Fidelity Investments, E-Trade Financial and Dow Jones & Co.
Prosecutor Jeffrey Berman said that Tyurin ultimately collected client data from more than 80 million victims, "which is one of the largest thefts of American client data for one financial institution in history."
Not only a programmer but also just a specialist with a good knowledge of mathematics can become a hacker in Russia, said the head of Group-IB Ilya Sachkov. The entrepreneur believes that for such people money is a priority.
"This is a talented young man, whose task is to earn money and that's all. He is not always well-educated in the humanities, not someone who will cause you sympathy. The priority is money, expensive cars, expensive watches, holidays abroad," said Sachkov.
Ten years ago, the career of a hacker was chosen exclusively by students, mostly children from disadvantaged families. However, the situation has changed: this profession is now chosen by those who "live in very rich families, with normal relations between parents".
A typical Russian hacker "tries to play Don Corleone", communicates with former or current law enforcement officers, and also looks for political assistants who will explain to him that real Russian hackers steal money from foreigners because of the "war with America".
He noted that the creators of viruses are often people with special needs, autistic children who have fallen into an aggressive environment. At the same time, the opinion that Russian-speaking hacker groups are leading in the world is already outdated. Today, all of them are mixed by nationality, although in the 90s, it was people from the post-Soviet space who were among the first to engage in such things, who communicated among themselves in Russian.
Group-IB specializes in products that help protect against cyber attacks and fight online fraudsters. In particular, the company investigates cybercrimes and helps to monitor attacking hackers. The group cooperates with Europol and Interpol.