As of: 03/06/2023 5:56 p.m
German investigators, together with the FBI and Europol, have exposed a group of cybercriminals. The hackers struck worldwide – in 2020 they paralyzed the University Hospital Düsseldorf. NRW Interior Minister Reul sees connections to Russia.
On Monday morning, the authorities, who together form the “Parker investigation group”, first informed the public about a strike against a global cyber gang, and in the early afternoon NRW Interior Minister Herbert Reul (CDU) followed up: He drew connections to the Russian domestic secret service FSB and the Wagner mercenary group, which supports the Russian armed forces in the Ukraine.
It is about a criminal network that extorts ransoms in the millions that are said to have damaged companies, authorities and parts of critical infrastructure worldwide. 601 victims are known, 37 of them in Germany. There is probably still a large dark field. Computer sabotage is accused of the criminals in addition to extortion. After an attack, the Düsseldorf University Clinic had to postpone operating theaters and close the emergency room, the Funke media group’s operations were massively disrupted and the Anhalt-Bitterfeld district had to declare a disaster after sabotage.
“These people who are being investigated here have caused massive damage in the past few months and have not stopped at our hospitals and the press,” Reul summarized the damage.
Searches in Düsseldorf and the Ukraine
In a joint investigation led by the “Central Contact Point Cybercrime” NRW, ZAC for short, Europol, the FBI and the Dutch and Ukrainian police have identified a network that is accused of these crimes. Last Tuesday, three properties in Düsseldorf and three in Ukraine were searched, Reul said. Search warrants for four other suspects had been sent to the Russian Federation and Moldova via requests for legal assistance.
The connections to the FSB and the Wagner group
While the head of ZAC NRW, Markus Hartmann, was reluctant to describe the exposed group as a “Russian hacker collective” because not all nationalities of the suspects were clear, NRW Interior Minister Reul goes much further: “We’re looking at Individuals in this group of perpetrators also have connections to the Russian domestic secret service FSB and the paramilitary mercenary group Wagner.” This is from publicly available sources.
Specifically, this is a hacker competition organized by the Wagner Group, in which one of the main suspects took part. Another person involved has “family contacts with a former, high-ranking employee of the Russian domestic secret service,” said Reul.
From this, the CDU politician draws the conclusion that there are increasing indications of “a debate where state institutions play a role”. This is “not brand new, but relatively clear now that you can get your hands on it”.
group with changing names
According to investigators, the network, which has now been exposed, is said to have acted under the name “Indrik Spider”, but also under “Double Spider” or “Double Spider”. Specifically, various malware could be assigned to the gang and the development of the attacks could be traced.
In addition to the attacks in Germany, the big attack on the British National Health Service in 2017 is also said to be attributable to the criminals. According to the investigators, they used ransomware called “BitPaymer”, an encryption Trojan-type ransomware. Since 2019, the group has increasingly appeared with the ransomware “DoppelPaymer”, the name was changed to “PayOrGrief” from 2021 and again to “Entropy” in January 2022.
Three suspects are wanted
11 members were specifically identified. Eight of them were found during house searches, but not arrested. Three suspects, two men and one woman, are now on international manhunt. They were also put on Europol’s list of most wanted suspects.
There are 22 allegations against the main suspect, 41-year-old Russian Igor Olegovich Turashev. He is also wanted by the FBI, which has offered a $5 million reward for him. Turashev, like the 36-year-old Russian Irina Zemlianikina, who was also wanted, worked administratively for the gang. The nationality of 42-year-old Igor Garshin is open, he is said to be one of the main people responsible for the attacks in Germany.
Damage amount difficult to quantify
Investigators did not name a specific amount of damage. It is very difficult to record, since the damage also includes completely reinstalling a company’s IT. In addition, there is a risk of further damage in the future due to stolen data.
New service sector cybercrime
Jan Op Gen Oorth from Europol described how the investigations into the crime complex gave new insights into structures that he described as “crime as a service”: You no longer need to have the expertise yourself, but can use it as a kind of service from criminals buy. The malware Emotec can be bought as a door opener, for example.
Like the German authorities, Europol warned companies against responding to blackmail and paying money to the criminals. This not only finances the criminal structures, but also puts the company on a so-called “white list” of victims who are willing to pay. This could lead to further attacks.
Network difficult to smash
Despite the success of the investigation, ZAC director Markus Hartmann dampened expectations: the network cannot be broken up by arrests. Because it is a financially very lucrative field of crime, others would quickly take over the roles of those arrested.
It is therefore important that the market loses its attractiveness. Companies must make IT security a top priority and protect data just as much as buildings and company premises, advised LKA boss Ingo Wünsch.
The ZAC and its working structures
The state-wide central contact point for cybercrime has been active since 2016 and is based at the Cologne public prosecutor’s office. Their field of activity is “all crimes that are directed against the Internet, data networks, IT systems or their data or that are committed using IT,” explains the NRW Ministry of Justice. The ZAC NRW has established itself as the nation’s largest cybercrime unit in the judiciary. Other federal states have similar special units. Since 2020, the “Task Force to Combat Child Abuse and the Spread of Child Pornography in Digital Media” has also been based at ZAC.