On Aug. 29, the Health Sector Cybersecurity Coordination Center (HC3) released a threat profile on Evil Corp (AKA UNC2165)—one of the most efficient cybercriminal syndicates globally. The syndicate is based out of Russia and has been in operation since 2009.
Evil Corp is responsible for developing and operating several of the most powerful malware and ransomware variants and has strong relationships with other cybercriminal groups and the Russian government. The U.S. has already indicted members of the gang and has an active bounty offered for information on their leadership. HC3 says that Evil Corp has been observed modifying their activities to evade U.S. federal government actions to stop them.
The threat profile says that “Evil Corp should be considered a significant threat to the U.S. health sector based on several factors. Ransomware is one of their primary modus operandi as they have developed and maintained many strains. Many ransomware operators have found the health sector to be an enticing target as, due to the nature of their operations, they are likely to pay some form of ransom to restore operations. Healthcare organizations are particularly susceptible to data theft as personal health information (PHI) is often sold on the dark web to those looking to leverage it for fraudulent purposes. Foreign governments often find it to be more cost effective to steal research and intellectual property via data exfiltration cyberattacks rather than invest time and money into conducting research themselves. This includes intellectual property related to the health sector. It is entirely plausible that Evil Corp could be tasked with acquiring intellectual property from the U.S. health sector using such means at the behest of the Russian government.”
Moreover, “Evil Corp is a cybercriminal gang that has been exceptionally aggressive and capable in their more than decade of global hacking operations. According to the U.S. Treasury Department in 2019, ‘Evil Corp has used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft,’ and also has, ‘caused millions of dollars of damage to U.S. and international financial institutions and their customers.’ Seventeen members of the group have been sanctioned by the U.S. Treasury Department and two key members are under indictment by the FBI. Former Treasury Secretary Steven Mnuchin referred to Evil Corp as, ‘of the world’s most prolific cybercriminal organizations.’ Former Assistant Attorney General Brian A. Benczkowski characterized some of Evil Corp’s actions as having, “deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide’ and being, ‘the perpetrators behind the world’s most egregious cyberattacks,’ and having targeted victims across the globe in, ‘one of the most widespread malware campaigns we have ever encountered.’ The State Department and FBI have a standing offer of $5 million for information leading to the arrest and conviction of their leader, Maksim Yakubets, which is the largest reward for a cybercriminal ever offered.”
The threat profile adds that Evil Corp goes by other names such as UNC2165, GOLD DRAKE, and Indrik Spider. The profile also lists leadership and key individuals involved in Evil Corp. The group is primarily a cybercriminal group and is financially motivated. The group often uses digital extortion, like ransomware attacks, and cyberattacks that facilitate sensitive information theft that can then be sold on the dark web for profit. According to the profile, where Evil Corp sets itself apart from other threat actors is how they blur the lines between cybercriminals and state-sponsored activities—cooperating with Russian intelligence agencies, including but not limited to the FSB.
“Evil Corp have operated a number of prominent malware and ransomware variants over their history and as such, the list of tactics, techniques and procedures (TTPs) they leverage is wide,” the threat profile notes. “They have a wide variety or technical capabilities due to both their in-house capabilities as well as the relationships they have with other cybercriminal groups. They often leverage the very common tactic of phishing as well as the use of legitimate security tools and living-off-the-land techniques.”
The profile concludes by saying it is not feasible to lay out a complete least of defense and mitigations for a group like Evil Corp that maintains such a wide range of capabilities that are continually being developed, but links numerous examples of mitigations, indicators of compromise, and similar defensive information that could be helpful.