It was the Friday before Labor Day 2012. The executive team of Penneco Oil, a small Pittsburgh company, were lunching at the Atria's Restaurant and Tavern - your typical off-highway American eatery, candy-striped awning, red brick and white plaster facade, a dimly-lit, cosy interior - when hundreds of emails started flooding into the inbox of treasurer Matthew Jacobs.
Baffled by the huge influx of mail filling up his phone, Jacobs called IT. They couldn’t explain how the waves of mail were getting past the filters. The spam had been craftily constructed, it seemed. When they returned to the office, the phones started ringing. All of them. For three hours. When answered there was nothing but a robotic hum. This was not how holidays were supposed to be welcomed.
A mobile call to the phone company revealed little. There was no explanation for the calls. They all seemed legitimate and were coming from the US. IT, meanwhile, had to shut down the whole company’s email system, as 70,000 messages had flooded the mail servers and there was no sign of abatement. Without knowing what was going on, Penneco went into the long weekend unaware they were now a victim of the Evil Corp hacking crew.
This is the account of Penneco chief operating officer Ben Wallace, who told FORBES it wasn’t until the Tuesday after Labor Day in 2012 that First Commonwealth bank called to ask if the small oil firm had ordered wire transfers totalling more than $3.5 million to Russia. It soon emerged something was amiss. The barrage of emails and calls now made sense: they were to prevent any bank notification of the transfers. A quick call was made to the FBI.
Two weeks later the assigned FBI agent, who had taken the treasurer’s computer away for forensics, revealed more about the fraud to Wallace. It emerged, said Wallace, the computer was infected with a malware known as Dridex for two weeks before the transfers were made. That malware installed a keylogger, which hoovered up the login details for the firm's online banking with First Commonwealth. He said his employer is still clueless as to how the malware found its way onto the treasurer's PC in the first place.
The Evil Corp hackers typically sent phishing emails containing Microsoft Office documents, which, when opened, would lead to malware infection. They traditionally promised invoice files or other documents relating to company accounts.
Penneco learned three separate wire attempts were made, two of which were successful, resulting in $2,158,600 and $1,350,000 transfers reaching accounts held in Russia. A third attempt to transfer $76,520 failed. According to Wallace, that $3.5 million of money wasn’t even held in the account; it appeared Evil Corp moved money between Penneco accounts before wiring them out and on to their final destination.
The same kind of targeted, patient tactics were typical of Evil Corp, the creators of the Dridex malware that made them at least $50 million from individuals and companies across the world. Rather than rush their attacks, they waited for the right time to pounce. Just as they chose a late Friday afternoon ahead of a long weekend when US banks would be closed as European ones were open, the Dridex masterminds would pick the adequate modus operandi depending on the country and industry of their targets.
There was often a “lead time”, said Daniel Shepherd, chief marketing officer at S21sec, a security company credited with assisting the Dridex law enforcement action announced this Wednesday. “Before they ever execute fraudulent transactions they’ve been laying the seeds for quite a period of time,” he told FORBES. “When they were ready they could activate a large-scale attack very quickly.” He noted there were a large number of infections in Spain, but no fraudulent activity. This indicated the Spaniards were in the crosshairs of the Evil Corp team but the hackers hadn't found an apt time to initiate their fraud, he added.
Evil Corp used a large number of genuine accounts to launder money through too, Shepherd added. “The level of planning going on ... is very high.”
Taking on Evil Corp and winning
Penneco and its bank, however, were not left penniless. Though Wallace said the FBI warned him it was unlikely funds would be recovered, after just two weeks, all the money that was lost was returned. A spokesperson at First Commonwealth told FORBES that it had managed to recover all the money as of last year.
The bank was assisted by the receiving bank in Russia, which froze the largest wire transfer, according to the spokesperson. Russian legal counsel were then employed to obtain a court order for the funds to be returned to First Commonwealth. “That process took over two years and involved several different Russian civil and criminal courts, and the funds were ultimately returned during the fourth quarter of 2014. During that time, the individual who received the funds was arrested and convicted by a Russian court,” the spokesperson added.
That last fact - that a perpetrator had been identified and convicted - was not revealed by US law enforcement this week. At the time of publication, FORBES could find no more substantive information on that successful prosecution. The bank declined to offer more information and the FBI had not responded to requests for comment.
Despite all those recent successes, Evil Corp lives on. Just yesterday, security company Proofpoint saw Dridex samples in spam emails passing around the web, and the same command and control infrastructure said to have been disrupted this week was in use again. According to Kevin Epstein, VP of threat operations at Proofpoint, most of the attacks were aimed at targets in the UK, which suffered as much as £20 million ($30 million) in losses as a result of Evil Corp’s actions.
Only one other arrest of an Evil Corp member, Andrey Ghinkul, has been made. Known Russian residents - Igor Turashev, Maksim Viktorovich Yakubets, Maksim Mazilov and Andrey Shkolovoy are believed to still have access to the backend infrastructure for Dridex. And, as Shepherd noted, there could well be more members of Evil Corp who have successfully remained under the radar, unlike their less cautious colleagues who were caught out using Google’s Gmail service and so had their accounts handed to US police.
“Our biggest concern is that there are things we haven’t yet seen and individuals who are not yet visible who could pick up the mantle. We’re not convinced we’re close to the end of the story.”
