Global Cyber Security Company

Group-IB aided Russian law enforcement agents in arresting yet another cybercriminal group

June 05, 2012

Group-IB has announced it assisted Russian law enforcement agents with an investigation, ultimately resulting in the apprehension of yet another prominent cybercriminal group. The Hodprot group had been active for over four years, engaged in theft of funds from online banking systems via the use of banking malware. The group's activity yielded damages of over 125 million rubles (approximately $3.7 million) for the online banking users.

The arrest of the six members of the Hodprot group was carried out by the Office of Economic Security and Counter-Corruption of the MVD in Moscow. This operation was part of the investigation instituted on the facts of theft of funds via the Sberbank online banking system.

The Hodprot group had been operating since 2009, specializing in stealing money from corporate bank accounts. In the beginning, the criminals were using the Hodprot malware, switching to Carberp, another banking malware, in 2011.

This group was directly involved in four cases targeting Sberbank clients, with damages totaling more than 13 million rubles (approximately $500,000), along with numerous instances of theft from the accounts of other banks, totaling over 110 million rubles (approximately $3.3 million).

"This is the second Carberp group neutralized by Russian law enforcement agents with our active involvement within the past three months," said Ilya Sachkov, CEO of Group-IB. "In this particular case, we provided special expertise and assistance in identifying the criminals, and establishing their roles and relationships within the cybercriminal group. Subsequent investigation by our forensics lab confirmed the involvement of these criminals to the specific cases of theft of funds."

Despite the geographically distributed use of the command and control servers in Holland, Germany, France, and the United States, all group members have been arrested and the group is neutralized. The arrest procedure was carried out simultaneously in several regions of Russia with the direct participation of the experts from Group-IB's forensic lab.

"Thanks to the organized interaction with Group-IB, we have put a stop these illicit activities. In particular, those related to the theft of funds from the Bank of Moscow and funds from other commercial online banking system," said Mikhail Kamordin, Deputy Director of the Security Bank of Moscow. "Together, we have managed to clamp down a dangerous and mobile group of criminals employing the most technologically sophisticated methods of theft."

Group-IB would like to express its special appreciation to the Moscow branch of Sberbank for their funding, information sharing, and assistance while working with the law enforcement agencies. Thanks also to the ESET Centre of Viral Studies, who assisted us in analyzing the malware used by this group.

The Hotprod group members are currently being prosecuted by the Investigation Department of the MVD and are facing charges under Article 159 (fraud), 273 (creation, dissemination, and use of malicious software), and 272 (unauthorized access to computer information) of the Russian Criminal Code.

The grounds for criminal prosecution and apprehension have been made available as a result of the verification made by the Office of Economic Security and Counter-Corruption of the MVD as per the request of Sberbank, along with the expert analysis and research prepared by Group-IB and the Office of Security of Sberbank in Moscow, in cooperation with the Department of the Information Security of Sberbank of Russia.

The official press release of the Russian Ministry of the Interior (MVD) regarding this case is available at http://www.mvd.ru/news/show_106992/ and http://uebmoscow.ru/1338791106.

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

For additional information contact Bogdan Vovchenko, Group-IB’s Head of PR department, at +7 (495) 661-5538, ext. 151, or [email protected].

About company
Legal services
Brand protection
Investigation
Incident Response
Incident Investigation
DDoS Attack Investigation
Online Banking Fraud Investigation
Botnet Monitoring
Computer Forensics
Collecting Digital Evidence
Expert Participation in Investigative Actions
Forensic Investigations
Data Recovery
Software Auditing
Malware Investigation
Peer-Reviewing Third-Party Determinations
Auditing and Consulting
Information Security Testing and Assessment
Penetration Testing and Vulnerability Assessment
Application Security Code Review
Web-Application Security Assessment
SCADA & ICS Security Assessment

© 2003 — 2013 «Group-IB» All rights reserved, a part of LETA Group