Company:Group-IB

From HandWiki
Revision as of 21:35, 4 February 2023 by AstroAI (talk | contribs) (change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Group-IB
TypePrivate
IndustryIT Security
Founded2003
FounderIlya Sachkov
Headquarters,
Area served
Global
Websitegroup-ib.com

Group-IB develops software and hardware for proactive cyber defence.

In 2015, Gartner agency included Group-IB in the top 7 global vendors of threat intelligence.[1] In 2017, the company became the leader of Russia Threat Intelligence Security Services Market Analysis conducted by IDC[2] and became one of Top-5 Threat Intelligence vendors in Forrester's Vendor Landscape: External Threat Intelligence, 2017 report.[3]

Group-IB's head office is located in Moscow, Russia.

History

Ilya Sachkov, the founder

Group-IB was founded in 2003 by a group of students of Bauman Moscow State Technical University, headed by Ilya Konstantinovich Sachkov. They were acting as an agency for investigating cyber-attacks. Since then, Group-IB has been involved in a range of incident response and investigations across the world,[4] actively cooperating with international partners to detect perpetrators and bring them to justice.[5]

Group-IB participated in the first successful cybercrime case in Russia where the organizers of the criminal groups were identified and arrested. These criminals were involved in financial theft from bank accounts using malware for PCs, mobile devices, phishing attacks, and targeted attacks on financial institutions in Russia. The company is generally involved in a series of international operations and leverages close cooperation with international law enforcement agencies to get the criminals wherever they hide. According to Group-IB, up to 80% of all high-profile investigation cases in the field of high-tech crime in Russia are supported by Group-IB experts.[6]

In 2010 Group-IB established the largest computer forensics laboratory in Eastern Europe.[7]

In 2011 the company established its Computer Emergency Response Team (CERT)—the first round-the-clock computer security incident response team in Eastern Europe, called CERT-GIB.[8] With the status of a Competent Security Organization recognized by Coordination Center for TLD RU (administrator of the national top-level domains .ru and .рф)[9] and collaboration with CERTs worldwide, the company has developed a series of effective intellectual property protection services.

Group-IB successfully protected the Sochi 2014 Olympic brand, products and ticket sales,[10] blocked pirated links to TV series and movies owned by Sony Pictures, Paramount Pictures, Fox TV series', Discovery Channel, Amedia (which has exclusive rights to HBO TV series in Russia),[11] as well as fraudulent websites abusing brands of popular banks and payment systems.[12]

Since 2012, Group-IВ has been developing their Early Warning System to provide cyber defence to companies around the world. In 2015 Gartner included Group-IB's core product—Group-IB Intelligence—in the top 7 global threat intelligence solutions along with products developed by IBM, FireEye, RSA and Check Point.[13]

Since 2007, Group-IB has been cooperating with Microsoft. In 2015, the two companies presented joint research on the economic impact of cyber-attacks.[14]

Group-IB is a resident of the Moscow-based Skolkovo Foundation (dubbed "Russian Silicon Valley"). As part of Skolkovo innovative projects, Group-IB created the so-called "CyberCop", a global counter-cybercrime system.

The company has also established an additional office in Innopolis—a science park in Tatarstan, Russia.

Owners and leadership

In 2010, LETA Group, an investment and management company in information technology, acquired 50% of Group-IB's assets. In 2013, Group-IB management bought out LETA Group's share.[15]

In mid-2016 Russian-founded Altera Capital and Run Capital each bought a 10 percent stake in Group-IB.

According to the company's announcement, Group-IB will leverage these investments to develop products and create R&D hubs in the Middle East, Southeast Asia and Latin America, as well as to hire local forensic specialists and improve sales performance at the American, European, and Asian markets.[16]

International cooperation

  • Group-IB is an official partner of Europol. On June 17, 2015 European Cybercrime Centre signed a Memorandum of Understanding (MoU) with Group-IB in order to initiate cooperation in fighting cybercrime.[17] The ceremony was held in The Hague[18]
  • In 2013 Group-IB and its CERT-GIB entered into a strategic partnership with International Multilateral Partnership Against Cyber Threats, a cybersecurity alliance supported by the United Nations .
  • CERT-GIB is an accredited member of Trusted Introducer—an association which includes many European computer security incident response teams[19] and a member of FIRST (Forum of Incident Response and Security Teams), which enables CERT-GIB to exchange data with CERTs in 78 countries and promptly block dangerous websites worldwide.[20]
  • Group-IB is a member of OWASP, the largest professional association of specialists in vulnerability assessment and web application security. The contribution by experts from Group-IB was to enhance the security of industrial systems – OWASP SCADA Security Project.[21]
  • The company is a member of OASIS, a global non-profit consortium that works on the development, convergence and adoption of data exchange standards. Group-IB's intelligence data is transmitted in STIX/TAXII format according to standards of cyber threat information exchange developed by OASIS.[22]
  • In 2016, Group-IB and Thailand's King Mongkut's Institute of Technology Ladkrabang signed a MoU to facilitate their cooperation in the field of cyber security and promote Group-IB's expertise in Thailand.[23]

Technology

According to Gartner, "being involved in the most high-profile investigations allows Group-IB to get more information about cybercriminals, their relationships and other intelligence".[1] In addition to investigation materials and forensics expertise, GIB's threat data collection is based on the high-tech infrastructure that includes:

  • compromised data tracking and data extraction from botnets; automatic search and monitoring of "underground" forums;
  • vast databases of known cyber criminals and gangs that identify intersections and analyzes social graphs;
  • identification of new threats using behavioral analysis and machine learning technology;
  • detection of infections, attempts of remote control and other indications of fraud schemes targeting clients of online banking and Internet portals without installation on client devices;
  • detection of phishing resources and rogue mobile applications and extraction of their phishing kits—modules designed to store and transmit stolen data.

Early Warning System for Cyber Defence

GIB Intelligence service uses personalized information for security strategy planning, making time-sensitive decisions and tweaking protection tools. It gives time for incidents prevention allowing to urgently discover theft of clients and employees' identifiers, to track modifications of tactics and tools used by criminal groups potentially interested in a company and to prioritize threats based on expert forecasts.[24]

TDS is a hardware and software unit preventing infection and vulnerabilities usage in corporate networks. The TDS sensors track suspicious activities in a corporate network while the CERT-GIB experts reveal critical threats and immediately inform the information security service and help to put a stop to an incident evolving. TDS Polygon allows to start in an isolated environ suspicious files downloaded by users or received in mail and to obtain an objective conclusion of the degree of their harmfulness based on a classification formed through computerized training pattern.[25]

Secure Bank deletes "blind spots" in online-payments security through diagnosing signs of infection, remote controlling of client's machine or identifiers being compromised during authorization. Secure Portal prevents unauthorized access to personal accounts, personal data, web users' bonus accounts and various fraudulent scenarios from using bots to competitor's offers displays on a portal site.[26]

Awards

  • In 2015, Group-IB's founder Ilya Sachkov received the EY Entrepreneur of the Year National Award in the "Telecommunications" category and Special "Business Internet Choice" Prize.[27]
  • In 2016, Sachkov (Group-IB's CEO) ranked among the brightest young entrepreneurs under 30 Forbes 30 Under 30 according to Forbes magazine.[28]
  • In 2016, Ilya Sachkov received the EY Entrepreneur of the Year National Award in the "IT for Business" category.[29]

Major threats detected by Group-IB

Lazarus: state-sponsored attack

In May 2017 Group-IB issued a report that proved there is a connection between Lazarus group who stole $18 mln from Bangladesh Central Bank, conducted a number of attacks on Polish banks, as well as attempted to infect hundreds of financial organizations in 30 countries around the globe, including European Central Bank, Central Banks of Russia, Brazil and Venezuela – with North Korea. Company experts made a research of the complex technological infrastructure, communications channels, and concealment techniques, presented new evidence of Lazarus attribution to North Korea and revealed details of the attack.[30]

Cobalt: logical attacks

In July 2016, a group of masked cyber-criminals "jackpotted" 34 ATMs operated by First Bank, one of Taiwan's largest banks. The perpetrators stole T$83.27 (over $2m USD).[31] According to CCTV footage, the thieves used cellphones to trigger the ATMs to automatically dispense money. Group-IB experts were the first to discover the "jackpotting" attack tactics used by the Cobalt gang to force ATMs to spit out cash using malware.[32] Group-IB released a report "Cobalt: Logical attacks on ATMs" that provided a detailed analysis of the attack scheme.[33] To get into the bank's internal network, hackers used spear phishing emails with a malicious attachment. The emails purported to come from the European Central Bank, the ATM maker Wincor Nixdorf, and local banks. After establishing control over the bank's internal network, the criminals searched for network segments, from which they could gain access to ATMs and workstations of bank employees who control ATMs. Once access to ATMs was obtained, they uploaded a specific software to them, allowing criminals to control cash dispensers.

Corkow

In February 2016, Group-IB published a report titled "Analysis of attacks against trading and bank card systems" about the first major successful attack on a trading system provoking major exchange volatility. In February 2015, the Corkow criminal group infected a trading system terminal of Kazan-based Energobank using a specialized Trojan software resulting in trades of more than $400 million. The hackers moved the ruble-dollar rate more than 15 percent in minutes on the Moscow Exchange. The bank claimed losses of 244 million rubles ($3.2 million) due to the trades.[34]

Buhtrap

In March 2016 Group-IB published a report on activity of the Buhtrap criminal group that managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 million) from August 2015 to February 2016.[35] The high effectiveness of these attacks was achieved due to spear phishing mailouts, including those sent acting as the Central Bank of Russia, which were used by criminals to gain access to the corporate network. Criminals obtained access to computers running the Automated Working Station of the Central Bank Client (AWS CBC), a free software that delivers payment documents on behalf of the Central Bank, and performed fraudulent transactions acting as the bank. The attack scheme outlined in the report published by Group-IB was later used to perform thefts via SWIFT.[36] Buhtrap was the first hacker group using a network worm to infect the overall bank infrastructure that significantly increased the difficulty of removing all malicious functions from the network. As a result, banks had to shut down the whole infrastructure, because the worm was able to gain full control over the network using a single infected machine.[37]

Anunak/Carbanak

In late 2014 Fox-IT and Group-IB jointly released a report on the Anunak (aka Carbanak) hacker group that had stolen more than 1 billion rubles from over 50 Russian banks. In Europe Anunak attacked POS terminals of large retail store chains with data of several million clients infected.[38] The group has not performed successful thefts since early 2015.[39]

Reverse ATM Attack

In autumn 2015, a novel technique of targeted attacks called a "reverse ATM attack" that allowed criminals to steal money from ATMs. "Money mules" (criminal payment agents) would deposit small sums into unembossed cards with legitimate accounts, immediately withdrawing what they'd put in. They also took a receipt from the ATM, which contained a payment reference number and the amount withdrawn. That information was sent to hackers who would use the data and their access to thousands of point of sale terminals, primarily based in the USA and the Czech Republic, to create "a reversal operation" on a terminal that tricked the bank into believing the withdrawal of funds had been cancelled. At the point of sale terminal, this looked as though goods were returned or a payment was declined, whilst to the banks it appeared the ATM withdrawal had been cancelled. Funds were returned to the account, though the perpetrators had already taken the cash. The process was repeated until there was no money remaining in the target ATM. During these attacks criminals managed to steal 252 million rubles ($3.8 million) from five large Russian banks. The fraud can no longer be perpetrated due to additional security systems implemented by banks with the assistance from VISA and Mastercard.[40]

ISIS hacker attacks on Russian resources

According to the report released by Group-IB in March 2015, hackers from the self-proclaimed Islamic State of Iraq and the Levant (ISIS) attacked 600 Russian Internet resources in 2014. Criminals primarily defaced websites placing pictures and video with ISIS propaganda. Hackers are believed to have attacked not only government organizations, banks and popular resources, but also galleries and schools. These attacks were chaotic and massive; researchers believe that they were aimed to gain experience and perform reconnaissance of the Russian Internet. According to Group-IB's report, these attacks were performed not just by ISIS cyber division, Cyber Caliphate, but by 3 more criminal groups called Team System Dz, FallaGa Team and Global Islamic Caliphate totalling over 40 members.[41]

Notable public investigations

Exploits: Blackhole (Paunch)

In Autumn 2013 Group-IB supported investigative activity that resulted in the arrest of Dmitry Fedotov, known under the nickname Paunch, the author of the infamous Blackhole exploit pack, which was, at the time, used to conduct 40% of infections worldwide.[42] The criminal was sentenced to 7 years in prison according to the national legislation in April 2016.[43]

Attacks on legal entities: Carberp, Germes, Hodprot

In 2012 law enforcement agencies, with assistance from Sberbank and Group-IB, arrested the largest criminal gang in Russia. In two years, the group managed to infect over 1.5 million computers worldwide and steal approximately $250 million from bank accounts. In total, over 100 banks suffered from their attacks throughout the world. Group-IB engaged their partners in the Netherlands and Canada in the investigation, which enabled the company to identify the full chain of actors including the organizer, who owned the botnet, operators, and cashers ("money mules").[44] It was the first case in Russia when all members of the criminal group were arrested; the leaders were sentenced to between 5 and 8 years in prison.[45] In the same year members of other criminal groups, who used Carberp modifications to attack individuals and companies, were arrested. In the summer of 2012 a hacker known as Germes (aka Arashi) was arrested. He was a creator of one of the largest global botnets that had infected over 6 million computers.[46] Following this, 7 members of the Hodprot criminal group were detained. One of the oldest Russian hacker gangs is known to have stolen approximately 125 million rubles from Russian bank accounts. All members of the criminal group were arrested, even though they are known to have used control servers located abroad – in the Netherlands, Germany, France and the USA.[47]

Android Trojans: "5th Reich", WapLook, Cron

In April 2015 members of a hacker group, which had infected over 340,000 Android-based devices to steal money from bank accounts, were arrested with assistance of Group-IB and Sberbank. Hackers dubbed their malware "the fifth Reich" and used Nazi symbols in the control system.[48] The hackers distributed the malware via SMS messages containing a link to download a program masked as Adobe Flash Player. The Trojan enabled hackers to intercept SMS notifications from banks and furtively confirm money transfer to hackers' accounts. The attack scheme was similar to that used by WapLook, the first criminal group members which were arrested for money theft from individuals using malicious mobile apps in Russia. Group leaders were arrested in September 2014 with assistance from Group-IB. In May 2017 Russian Ministry of Internal Affairs announced the arrest of Cron gang that had infected more than 1 mln smartphones. Group-IB provided expert support to the investigation.[49] Cron Banking Trojan spread itself in two ways—via SMS, when the user clicked on the link in the message and installed a malicious application, or disguised as a legitimate application Navitel, Framaroot, Pornhub, Avito etc. The hackers infected up to 3,500 smartphones daily, and managed to steal about $1 mln in total.

Phishing: Popelysh brothers

In June 2015, twin brother hackers were reportedly arrested in St. Petersburg, Russia, as part of a police operation assisted by Group-IB. Over 4 years, the Popelysh brothers had stolen money from client accounts of VTB24 online banking using a fake bank page to grab client data. This was the first case in Russia, when legal proceedings were taken against criminals using phishing schemes. [50]

References

  1. 1.0 1.1 Ruggero Contu, Rob McMillan (14 October 2014). "Competitive Landscape: Threat Intelligence Services, Worldwide, 2015". Gartner. https://www.gartner.com/doc/2874119/competitive-landscape-threat-intelligence-services. 
  2. Maslennikov, Denis (2017). "Russia Threat Intelligence Security Services 2016 Market Analysis and 2017–2021 Forecast". International Data Corporation. http://www.idc.com/getdoc.jsp?containerId=CEMA42095117. 
  3. "Cyber Threat Intelligence Vendor landscape by Forrester". Forrester Research. 2017. https://www.group-ib.com/threat_intelligence_vendors.html. 
  4. Jim Finkle and J.R. Wu (January 5, 2017). "Taiwan ATM heist linked to European hacking spree: security firm". Reuters. https://www.reuters.com/article/us-taiwan-cyber-atms-idUSKBN14P0CX. 
  5. "Group-IB supports INTERPOL in disrupting Dorkbot botnet". Group-IB. December 17, 2015. http://www.group-ib.com/index.php/7-novosti/940-group-ib-supports-interpol-in-disrupting-dorkbot-botnet. 
  6. "About Group-IB". Group-IB. http://www.group-ib.com/about.html. ""80% of high-profile cybercrimes in Russia and CIS are investigated by Group-IB"" 
  7. Schwartz, Mathew J. (June 2, 2016). "Russian Police Bust Alleged Bank Malware Gang". http://www.bankinfosecurity.com/russian-police-bust-alleged-bank-malware-gang-a-9163. 
  8. Lucian, Constantin (March 28, 2013). "Researchers find new point-of-sale malware called BlackPOS". http://www.pcworld.com/article/2032336/researchers-find-new-pointofsale-malware-called-blackpos.html. 
  9. "Group-IB to help combating cibercrime in domains .РФ and .RU". Coordination Center for TLD RU. 2011-12-23. https://cctld.ru/en/news/news_detail.php?ID=3366&sphrase_id=138576. 
  10. "Sochi 2014 Commemorative certificate" (PDF). International Olympic Committee. 2014. http://www.group-ib.ru/testimonials/sochi.pdf. 
  11. "Internet criminalists: how Russia’s main cyber detective agency is organized". Group-IB. http://www.group-ib.com/index.php/7-novosti/828-internet-criminalists-how-russias-main-cyber-detective-agency-is-organized. 
  12. "Qiwi и Group-IB объединили усилия для защиты электронных платежей" (in Russian). 2014-04-10. http://www.cnews.ru/news/line/qiwi_i_groupib_obedinili_usiliya_dlya. 
  13. "Market Guide for Security Threat Intelligence Services". Gartner. 14 October 2014. https://www.gartner.com/doc/2874317/market-guide-security-threat-intelligence. 
  14. Kuchma, Anna (April 14, 2016). "Russia loses $3.3 billion to cyber attacks". https://www.rbth.com/business/2016/04/14/russia-loses-33-billion-to-cyber-attacks_584971. 
  15. "Group-IB management buys out LETA Group’s share". LETA Group. 5 November 2013. http://en.leta.vc/news/menedzhment-group-ib/. 
  16. Фролов, Андрей (2016-08-15). "Российские специалисты по информбезопасности Group-IB продали 20% компании фондам Altera и Run Capital". https://vc.ru/n/group-invest. 
  17. "Europol signs agreement with Group-IB to cooperate in fighting cybercrime". Europol. 17 June 2015. https://www.europol.europa.eu/newsroom/news/europol-signs-agreement-group-ib-to-cooperate-in-fighting-cybercrime. 
  18. "Europol signs agreement with group-ib to cooperate in fighting cybercrime". Group-IB. 17 June 2015. http://www.group-ib.com/index.php/7-novosti/932-europol-signs-agreement-with-group-ib-to-cooperate-in-fighting-cybercrime. 
  19. "Trusted Introducer overview". https://www.trusted-introducer.org/processes/overview.html. 
  20. "Computer Security Incident Response Team CERT-GIB". https://www.first.org/members/teams/cert-gib. 
  21. "Group-IB to participate in the OWASP project". Group-IB. 19 March 2013. http://www.group-ib.com/index.php/7-novosti/714-group-ib-to-participate-in-the-owasp-project. 
  22. "OASIS Products". OASIS organization. https://wiki.oasis-open.org/cti/Products. 
  23. "สจล. ร่วมมือยักษ์ไอทีรัสเซียยกระดับไซเบอร์ซีเคียวริตี้ไทย" (in Thai). 2016-07-25. http://www.mxphone.net/250716-kmitl-group-ib-it/. 
  24. "Российские киберпреступники получили в 2013 г. почти $2,5 млрд" (in Russian). Vedomosti. 2014-10-15. http://www.ixbt.com/news/soft/index.shtml?18/34/85. 
  25. Иван Бойцов (2016-10-26). "Обзор рынка защиты от целевых атак" (in Russian). https://www.anti-malware.ru/analytics/Market_Analysis/protection-market-against-targeted-attacks-review. 
  26. "Secure Bank: Innovative solution for secure online payments". Group-IB. http://www.group-ib.com/secure_bank.html. 
  27. "Russian winners announced for 2015 EY Entrepreneur Of The Year®". EY. 27 November 2015. http://www.ey.com/ru/en/newsroom/news-releases/news-russian-winners-announced-for-2015-ey-entrepreneur-of-the-year. 
  28. "Meet The 30 Under 30: Enterprise Tech". Forbes. 2016. https://www.forbes.com/30-under-30-2016/enterprise-tech/#ccb431a50230. 
  29. "Стало известно имя победителя международного конкурса EY «Предприниматель года 2016» в России". Business FM. 2016-11-29. https://www.bfm.ru/news/340112. 
  30. Leyden, John (30 May 2017). "NORK spy agency blamed for Bangladesh cyberheist, Sony Pictures hack". The Register. https://www.theregister.co.uk/2017/05/30/nork_spy_agency_lazarus_group_attribution/. 
  31. Murdock, Jason (August 24, 2016). "Thai bank shuts down half its ATMs after 'Eastern European cyber-gang' heist". International Business Times. http://www.ibtimes.co.uk/thai-bank-shuts-down-half-its-atms-after-eastern-european-cyber-gang-heist-1577806. 
  32. Finkle, Jim (2016-11-21). "Hackers target ATMs across Europe as cyber threat grows". Reuters. https://www.reuters.com/article/us-cyber-banks-atms-idUSKBN13G24Q?il=0. 
  33. "Cobalt: logical attacks on ATMs". Group-IB. 2016. https://www.group-ib.com/cobalt.html. 
  34. "Russian Hackers Moved Ruble Rate With Malware, Group-IB Says". Bloomberg. 2016-02-08. https://www.bloomberg.com/news/articles/2016-02-08/russian-hackers-moved-currency-rate-with-malware-group-ib-says. 
  35. Kantyshev, Pavel (2016-03-18). "Хакеры украли $25 млн у 13 российских банков". Vedomosti. https://www.vedomosti.ru/finance/articles/2016/03/18/634123-hakeri-rossiiskih-bankov. 
  36. "New Russian Hacker Cell Hit 13 Banks Since August, Group-IB Says". Bloomberg. 2016-03-17. https://www.bloomberg.com/news/articles/2016-03-17/new-russian-hacker-cell-hit-13-banks-since-august-group-ib-says. 
  37. "Buhtrap: the evolution of targeted attacks against financial institutions". Group-IB. 2016. http://www.group-ib.com/buhtrap-report.html. 
  38. Pavel Sedakov, Dmitry Filonov (2014-12-22). "Брать по-крупному: группировка хакеров ограбила более 50 банков" (in Russian). Forbes. http://www.forbes.ru/tekhnologii/internet-i-svyaz/276227-brat-po-krupnomu-kak-odna-gruppirovka-khakerov-ograbila-bolee-50. 
  39. "High-Tech Crime Trends 2015". Group-IB. http://www.group-ib.com/index.php/7-novosti/939-high-tech-crime-trends-2015. 
  40. Paganini, Paganini (November 26, 2015). "Russian criminals Steal $4 Million In cash with a new technique dubbed reverse ATM Attack.". http://securityaffairs.co/wordpress/42272/cyber-crime/reverse-atm-hack-method.html. 
  41. Bennett, Cory. "ISIS hackers have hit hundreds of Russian websites". The Hill. http://thehill.com/policy/cybersecurity/237031-isis-hackers-have-hit-hundreds-of-russian-websites. 
  42. "Who Is Paunch?". December 2013. http://krebsonsecurity.com/2013/12/who-is-paunch/. 
  43. Seals, Tara (2016-04-19). "Blackhole's Paunch Sentenced to 7 Years in Russian Penal Colony". https://www.infosecurity-magazine.com/news/blackholes-paunch-sentenced-to-7/. 
  44. "Members of the largest criminal group engaged in online banking fraud are detained". Group-IB. https://www.group-ib.com/index.php/7-novosti/627-members-of-the-largest-criminal-group-engaged-in-online-banking-fraud-are-detained. 
  45. Fahmida Y. Rashid (April 4, 2013). "Russian Authorities Claim Capture of Mastermind Behind Carberp Banking Trojan". http://www.securityweek.com/russian-authorities-claim-capture-mastermind-behind-carberp-banking-trojan. 
  46. Liam Tung (June 26, 2012). "Russian Carberp botnet kingpin arrested". http://www.cso.com.au/article/428671/russian_carberp_botnet_kingpin_arrested_/. 
  47. Harley, David (2012-06-04). "Carberp and Hodprot: six more gang members held". http://www.welivesecurity.com/2012/06/04/carberp-and-hodprot-six-more-gang-members-held/. 
  48. "Кибер-фашисты из Челябинской области использовали вирус "5 рейх"" (in Russian). REN TV. 2015-04-13. http://ren.tv/novosti/2015-04-13/kiber-fashisty-iz-chelyabinskoy-oblasti-ispolzovali-virus-5-reyh. 
  49. Stubbs, Jack (2017-05-22). "Hackers hit Russian bank customers, planned international cyber raids". Reuters. https://www.reuters.com/article/us-russia-cyber-banks-idUSKBN18I0VE. 
  50. "Дело о фишинге: как ловили хакеров-близнецов из Санкт-Петербурга" (in Russian). RIA Novosti. 2012-12-21. https://ria.ru/incidents/20121221/915789715.html.