Authorities from Russia's internal security service (FSB) have arrested a ring of 50 hackers who used websites infected with malware to steal the credit card and bank information of thousands of victims, netting them over 1.7 billion rubles ($25 million).
The FSB, Russia's internal security agency and the successor to the notorious KGB, carried out a series of coordinated raids across 15 regions of the Russian Federation to break up the ring and arrest those responsible for malware and theft.
"As a result of searches a large quantity of computer equipment was confiscated along with communications gear, bank cards in false names, and also financial documents and significant amounts of cash confirming the illegal nature of their activity," said the FSB in a statement on the arrests.
The hackers used a malware type called Lurk, which is distributed via websites and from there downloads software allowing remote access to the victim's computer.
The ring of hackers has been active in spreading the Lurk malware since 2011, according to Russian cybersecurity firm Group IB.
According to a post-analysis of the Lurk malware by cybersecurity intelligence firm Flashpoint, the program is a variant of the popular downloader malware, ZeusVM.
"[The Lurk malware] variant appears to expect configuration files from the command and control (C2) server in the form of images with interesting anti-forensics obfuscation routines," said Vitali Kremez, Cybercrime Intelligence researcher at Flashpoint.
"The propagation methods appear to include drive-by downloads from Exploit Kits (EK)," she said. "Because of Lurk being used as a downloader malware, the true extent of the campaign and its targeting is yet unknown and to be determined. The actual unidentified banking trojan is alleged to be installed post-Lurk infection."
According to Kremez, most of the 50 individuals arrested were not hackers, but simply mules connected to the cybertheft scheme.
"While the investigation discloses the arrest of the 50 hackers connected with their targeting of the Russian financial institutions, it is more likely that most of the individuals appear to be money mule operators supporting the criminal operation rather than the hackers working in concert," she said.
Russian cybercrime has become an increasingly prevalent aspect of digital crime and data theft over the past several years. A recent report disclosed an ongoing Russian ransomware ring, apparently left untouched by Russian authorities despite poor operational security, which has targeted thousands of Western individuals and corporations over the course of at least four years.
However, the Lurk malware targeted Sberbank, a prominent Russian financial institution and the third largest bank in Europe. According to Leo Taddeo, former FBI Special Agent in charge of the New York Cybercrimes division, this may have been the reason why the Lurk malware ring was busted while others have been allowed to conduct their operations unscathed.
"This operation shows what US cyber experts knew all along: that Russia is very capable of finding and stopping cybercriminals operating within their borders," Taddeo said. "The remaining question is whether Russia has changed its policy of intransigence on the cybercrime issue for the benefit of the US and other victims of Russian cybercrime, or if Russian law enforcement targeted this cyber gang because it made the mistake of stealing from a Russian bank."
Though this particular ring has been busted, the Lurk malware is still out there, and Vitali Kremez says users should exercise caution when visiting unfamiliar websites.
"The malware developers appear to be highly sophisticated and capable of developing malware to avoid anti-virus detection and stay on the system for quite some time," she said.