Russia Busts Nine More Lurk Malware SuspectsSeparately, Treason Investigation Chills Cybersecurity Experts' Cooperation
Russian law enforcement agencies have arrested more suspects as part of their investigation into an alleged cybercrime operation that targeted Russian financial institutions, aided in part by "Lurk" malware.
See Also: 2020 Cyberthreat Defense Report
On Jan. 25, Russian police detained nine Russian citizens in Moscow, Saint Petersburg, the Krasnodar Territory and the Tver and Sverdlovsk regions on hacking-related charges, Russia's Interior Ministry, or MIA, said Feb. 8.
The arrests - all nine individuals remain jailed - were made as part of a joint operation between the MIA and the country's internal security service, the FSB, formerly known as the KGB. As part of the operation, police carried out searches at 34 addresses, from which they seized more than 90 pieces of computer hardware, nearly 4.5 million rubles ($74,700), as well as some weapons.
So Far: 55 Suspects
The ongoing investigation first came to light after Russian federal agents arrested 50 suspects in mid-2016. Of those, 19 have been jailed while another 27 alleged gang ringleaders and members have been charged.
Authorities have accused the gang of stealing 1.7 billion rubles ($28.9 million) - just from customers' accounts at Russian banks - beginning in 2013. Security experts say bank customers in other countries also were targeted. The gang attempted to steal another 2.3 billion rubles ($39.1 million) by issuing false payment instructions to Russian banks, which the banks successfully blocked, officials say.
Sberbank - the largest bank in Russia and Eastern Europe - was reportedly one of the affected banks, and it assisted with the police investigation. According to the FSB, five other Russian banks - including Metallinvestbank, Metropol, Regnum and Russian International Bank - experienced fraud in 2016 as a result of Lurk. The MIA couldn't be immediately reached for comment on which other Russian organizations the gang allegedly targeted.
The malware used by the gang, called Lurk, was first spotted in 2011 and was originally used for click fraud - generating fake clicks on advertisements to illegally generate profits for website operators. Moscow-based security firm Kaspersky Lab, in a report, says the gang later revamped the malware to help the gang exploit weaknesses in Russian banks' security defenses and also developed the Angler - aka Axpergle, XXX - exploit kit to help it infect endpoints with Lurk.
By 2014, however, banks improved their defenses, and the gang's revenue plummeted, leading the group to rent Angler to several other cybercrime groups to help pay for its costly infrastructure, Kaspersky Lab says. "By that time, the criminal group had an extensive and extremely costly network infrastructure, so, in addition to employees' salaries, it was necessary to pay for renting servers, VPN and other technical tools," according to the report. "Our estimates suggest that the network infrastructure alone cost the Lurk managers tens of thousands of dollars per month."
After Arrests, Angler Exploit Kit Disappeared
Following the mid-2016 arrests of suspected Lurk members, security experts reported that Angler exploit kit activity suddenly disappeared.
Cisco's Talos threat-intelligence research team says that beyond running Angler, there are clues that the Lurk gang may have also been tied to the Necurs botnet, which was instrumental in distributing Locky ransomware and Dridex banking malware.
Kaspersky Lab assisted Russian authorities with their Lurk investigation. "From the very start, Kaspersky Lab experts were involved in the law enforcement investigation into Lurk," Ruslan Stoyanov, then the head of computer incidents investigation at Kaspersky Lab, said in a June 2016 statement. "We realized early on that Lurk was a group of Russian hackers that presented a serious threat to organizations and users. ... Armed with that knowledge, the Russian police could identify suspects and gather evidence of the crimes that had been committed."
Subsequently - and apparently separately - Stoyanov was arrested in December 2016 by Russian authorities on suspicion of treason, allegedly relating to the transfer of state secrets to a U.S. intelligence firm. Kaspersky Lab confirmed Stoyanov's arrest, but said that he "is under investigation for a period predating his employment at Kaspersky Lab," and that it had no further information.
Two members of the FSB's Information Security Center - Sergei Mikhailov and Dmitry Dokuchayev - were also arrested.
"All the suspects have been charged with high treason. This is the sole count in the case. There are no other accusations," Ivan Pavlov, a lawyer for one of the defendants in the case - he declined to specify which one - told Russian news agency TASS. But he said the charges don't specify which intelligence agency the suspects allegedly worked with. "No CIA is mentioned in the case. It is only the country that is mentioned. Yes, the talk is about America, not about the CIA," he said.
The Kremlin has continued to deny any suggestions that the men's arrest was connected to Russia-aligned attackers allegedly breaching U.S. Democratic National Committee systems and dumping stolen data in an attempt to influence the 2016 Presidential elections. Officials have continued to assert that the treason arrests don't tie to those supposed attacks, which they claim Russia never launched.
"In any case, no matters of this sort can have any relation to such absurd insinuations [about hacker attacks] or, as we have already said, we categorically deny any assertions about the possible complicity of the Russian side in any hacker attacks," Kremlin spokesman Dmitry Peskov told Tass.
Arrests Chill Cybersecurity Cooperation
Stoyanov's arrest has reportedly led to a sharp decline in the sharing of threat intelligence between Russian cybersecurity researchers and their foreign counterparts.
"Everybody has clammed up," John Bambenek, a manager of threat research at Fidelis Cybersecurity, tells Reuters.