Russian Criminal Group Finds New Target: Americans Working at Home

The hackers call themselves “Evil Corp.,” a play off the “Mr. Robot” television series. In December, the Justice Department said they had “been engaged in cybercrime on an almost unimaginable scale,” deploying malware to steal tens of millions of dollars from online banking systems. The Treasury Department placed sanctions on them, and the State Department offered $5 million for information leading to the arrest or conviction of the group’s leader.

The indictment is one of many in the past few years against Russian groups, including intelligence agents and the Internet Research Agency, accused of interfering in the 2016 election. Those indictments were intended as a deterrent. But Moscow has protected Evil Corp.’s hackers from extradition, and they are unlikely to stand trial in the United States. In the Treasury Department sanctions announcement, the United States contended that some of the group’s leaders have done work for the F.S.B., the successor to the Soviet K.G.B.

The December indictment and the sanctions both named Maksim V. Yakubets, said by the Treasury Department to be “working for the Russian F.S.B.” three years ago, and “tasked to work on projects for the Russian state, to include acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf.”

Symantec said it had briefed federal officials on the findings, which are echoed by at least one other company monitoring corporate networks. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency did not immediately respond to questions about whether it had seen the same activity, or planned to issue a parallel warning.

But the attack’s methodology suggests it was intended for the work-at-home era.

The malware, Mr. Chien said, was deployed on common websites and even one news site. But it did not infect every computer used to go shopping or read about the day’s events. Instead, the code looked for a sign that the computer was part of a major corporate or government network. For example, many firms have their employees use a “virtual private network,” or V.P.N., a protected channel that allows workers sitting in their basements or attics to tunnel into their corporate computer systems as if they were at the office.

“These attacks do not try to get into the V.P.N.,” Mr. Chien said. “They just use it to identify who the user works for.” Then the systems wait for the worker to go to a public or commercial website, and use that moment to infect their computer. Once the machine is reconnected to the corporate network, the code is deployed, in hopes of gaining access to corporate systems.

The indictment was intended to put Evil Corp. out of business. It failed. In the month after the indictment, Evil Corp.’s hackers dropped off the map, but they picked up again in May, according to security researchers at Symantec and Fox-IT, another security company that is a division of the NCC Group. For the past month, they have been successfully breaking into organizations using custom ransomware tools.