A Russian criminal gang secretly conducted cyberattacks and espionage operations against NATO allies on the orders of the Kremlin’s intelligence services, according to the UK’s National Crime Agency.

Evil Corp, which includes a leader who gained notoriety for driving a Lamborghini luxury sports car, launched the hacks prior to 2019, the NCA said in statement on Oct 1. The NCA’s statement came amid an internationally coordinated effort to punish Evil Corp’s alleged members with sanctions and, in the US, an indictment.

The gang has been accused of using malicious software to extort millions of dollars from hundreds of banks and financial institutions in more than 40 countries. In December 2019, the US government sanctioned Evil Corp. and accused its alleged leader, Maksim Yakubets, of providing "direct assistance” to the Russian state, including by "acquiring confidential documents.”

The NCA’s statement on Tuesday provides new detail on the work Yakubets and other members allegedly carried out to aid the Kremlin’s geopolitical aims. The exact nature of the hacks against the North Atlantic Treaty Organization allies wasn’t immediately clear.

The gang cultivated close ties with officials from Russia’s main intelligence agencies, the Federal Security Service (FSB), Foreign Intelligence Service (SVR) and a military intelligence agency of the General Staff of the Armed Forces, known as the GRU, according to the NCA. That effort, the NCA alleged, was partly aided by Yakubets’ father-in-law, Eduard Benderskiy, a former high-ranking official of a secretive FSB unit named Vympel, which the investigative outlet Bellingcat has linked to assassination operations.

In addition, when the US punished the hackers in 2019, Benderskiy came to their aid – using his FSB connections to protect the hackers from any internal blowback from Russian authorities, according to the NCA.

The NCA said that another alleged Evil Corp leader, Aleksandr Ryzhenkov, also worked with the prolific Russian ransomware group LockBit, where he operated under the pseudonym “Beverley”.

A spokesperson for Russia’s Embassy in London didn’t respond to requests for comment.

The UK, US, and Australian governments separately announced on Oct 1 that they were sanctioning the group. The UK sanctioned sixteen people it accused of being involved with Evil Corp, including Yakubets, Benderskiy and Ryzhenkov.

The US Treasury added seven people and two entities allegedly linked to Evil Corp. onto its own sanctions list. Meanwhile, the US Justice Department released an indictment accusing Ryzhenkov of allegedly using a kind of ransomware called BitPaymer to attack victims in Texas and elsewhere in the US and to hold their sensitive data for ransom.

David Lammy, the UK’s Foreign Secretary, said the sanctions were intended to send a message to the Kremlin that Russian cyberattacks wouldn’t be tolerated.

"Putin has built a corrupt Mafia state with himself at its center,” he said. "We must combat this at every turn, and today’s action is just the beginning.”

LockBit targeted thousands of companies with its ransomware, which encrypts files on a victim’s computer and demands payment to unlock them. Hackers working for the group, known as affiliates, claimed credit for breaching several major companies, including the US arm of the Industrial and Commercial Bank of China, Boeing Co, and the UK’s national postal service, the Royal Mail.

Beginning in 2022, Evil Corp’s Ryzhenkov used LockBit’s ransomware to target as many as 60 organisations, from whom he tried to extort a total of US$100mil, according to the UK authorities.

The NCA’s assessment appears to confirm a June 2022 report from the cybersecurity firm Mandiant, which said that hackers affiliated with Evil Corp had started working with LockBit. LockBit previously denied a connection to Evil Corp, portraying themselves as common cybercriminals.

LockBit was itself targeted earlier this year by a coalition of Western law enforcement agencies. In February, its website was dismantled, and authorities disclosed the identity of its alleged leader. The NCA said on Tuesday that people linked to LockBit were recently arrested in the UK, France and Spain, where nine servers were also seized. The agency said it is continuing to pursue others connected to the gang. – Bloomberg