Maksim was the leader of the operation, a Russian with ties to his country's Federal Security Service. Igor was his assistant, setting the traps and doing his bosses bidding. The plan was straightforward--plant malware on as many computers in businesses and institutions in Pennsylvania as possible for a large payday.
Maksim did not discriminate when it came to his victims. A bank, several small businesses, and a school district were all targeted.
He also decided to include a lumber company, a gas company, and (ruthlessly) even an organizations of nuns in Chicago. Yes, even nuns are vulnerable to cyber attacks.
The exact whereabouts of the hackers are still unknown, but the two men didn't need to be close to get paid. They infected computer systems with automated programs designed to identify banking passwords and reroute wire transfers--draining accounts before anyone even knew what had happened.
Their access method? Sending sophisticated phishing emails that appeared to be from legitimate companies. More often than not, it worked.
Even with security education becoming a part of the IT budgets of many organizations, phishing is still incredibly effective for bad guys who do it well.
Maksim and Igor obviously knew what they were doing, as the two men were able to pull off one of the largest fraud schemes of the past decade.
Watch Russian Hackers Show Off the Supercars They Purchased With Funds Stolen From Phishing American Businesses.
Before their deception was discovered by federal authorities, the hackers who went by the code names "Aqua" and "Enki" had hijacked personal financial data from businesses in over 11 states--racking up damages in excess of 70 million and making the two Russians (who are unlikely to ever be caught) filthy rich.
Their phishing schemes have afforded them a lavish lifestyle overseas, the NCA recently spotted Maksim showing off his custom Lamborghini by doing a series of donuts and burnouts on public streets.
The pair are reported to be a part of the Russian hacking group "Evil Corp" whose associates are living large on their stolen American funds.
According to an IBM study, 95% of cyber crimes still rely on human error to be successful. Hackers like Aqua and Enki don't care if they are taking funds from schools, holy sisters or small businesses--in today's high risk environment, everyone is a target.
If there is anything to be learned from the escalation of events like these, it's that cybersecurity is a war waged daily between criminal syndicates and workers at companies with personal data worth stealing.
As Sun Tzu taught in The Art of War, sometimes the best defense is a good offense. This thinking applies when it comes to cyber crimes like phishing and spoofing.
There is no foolproof solution, but we recommend a pro-active, dynamic approach that includes security measures such as multi-factor authentication in combination with on-going employee security training and regular security scoring.
Of course, having secure backups and up-to-date software is a must, but the small businesses who invest in more proactive approaches to security will be the one's kept out of news like this. If you need help budgeting for cybersecurity in 2020, our free guide and worksheet can help.
We are making a big push for 2020 to include security in every customer discussion. Microsoft is changing how to fight against the ever-growing threat landscape with easily deployable tools. Our security push not only includes what happens after the breach, but now training before to help spot when something looks out of place beforehand, says Graham Cobb, Director of Customer Experience for PTG.
If you're looking to get a benchmark on your company's security. PTG's security report card is a great place to start.