Cyber-crime syndicate tried to intimidate antivirus vendor

Oct 1, 2015 00:59 GMT  ·  By

In some cases, cyber-security work can turn really dangerous, and even deadly, if you manage to disrupt the revenue stream of international crime syndicates. Fortunately, this is not the case in the incident we are going to tell you about, but it could have been.

In an interview that Boris Sharov gave to Brian Krebs, the Dr.Web antivirus CEO acknowledged a series of incidents from the spring of 2014, when unknown assailants attacked various Dr.Web offices with fire bombs (petrol bombs, Molotov cocktails).

The reason behind these attacks, as Mr. Sharov reveals, is his company's research, which during December 2013 uncovered a new ATM malware, and promptly added it to its virus database.

Seeing their revenue stream affected, the people behind the malware sent the company two emails (read them at the end of the article) in which they gave the company an ultimatum, telling them to remove the malware from their database, or face consequences.

Attacks were recorded at Dr.Web's Saint Petersburg, Moscow, and Kiev offices

Dr.Web’s CEO says that after the first email was received, on March 9, 2014, someone firebombed the Saint Petersburg office of a company that sold Dr.Web’s ATM Shield, a security product that was designed to protect ATMs against various cyber-threats. A second attack followed a few days later, but as with the first one, the attacker was not caught, and the damage was minimal.

Two weeks later, the second email was received, and a third attack was carried out on the same office, but this time an attacker was caught. Police had to release the suspect because no witness came forward to testify against him.

Sherov added that the company's security also detected two intrusions into its Moscow office, and that on April 14, 2014, a fire caused by an electrical issue was put out in its Kiev office.

The cyber-gang operated from the Ukraine

Soon after the Kiev incident, Dr.Web received an email with a photograph of its Kiev office, which led the CEO to believe that the cyber-crime gang was from the Ukraine, and that previous attacks had been ordered via the Dark Web.

His original suspicions were confirmed by a Moscow bank, which detected the cyber-group's activities a few weeks later.

Asked by Mr. Krebs who he thought attacked him, Sherov said he believed it was only the programmers behind the malware code, and not a true cyber-crime syndicate, otherwise the attacks would have been much more brutal.

Attacker Emails