September 29, 2015

It’s notable whenever cybercime spills over into real-world, physical attacks. This is the story of a Russian security firm whose operations were pelted with Molotov cocktail attacks after exposing an organized crime gang that developed and sold malicious software to steal cash from ATMs.

molotovThe threats began not long after December 18, 2013, when Russian antivirus firm Dr.Web posted a writeup about a new Trojan horse program designed to steal card data from infected ATMs. Dr.Web received an email warning the company to delete all references to the ATM malware from its site.

The anonymous party, which self-identified as the “International Carders Syndicate,” said Dr.Web’s ATM Shield product designed to guard cash machines from known malware “threatens activity of Syndicate with multi-million dollar profit.”

The threat continued:

“Hundreds of criminal organizations throughout the world can lose their earnings. You have a WEEK to delete all references about ATM Skimmer from your web resource. Otherwise syndicate will stop cash-out transactions and send criminal for your programmers’ heads. The end of Doctor Web will be tragic.”

In an interview with KrebsOnSecurity, Dr.Web CEO Boris Sharov said the company did not comply with the demands. On March 9, 2014, someone threw a Molotov cocktail at the office of a third-party company that was distributing Dr.Web’s ATM Shield product. Shortly after that, someone attacked the same office again. Each time, the damage was minimal, but it rattled company employees nonetheless.

Less than two weeks later, Dr.Web received a follow-up warning letter:

“Dear Dr.Web, the International carder syndicate has warned you about avoidance of interference (unacceptable interference) in the ATM sphere. Taking into account the fact that you’ve ignored syndicate’s demands, we employed sanctions. To emphasis the syndicate’s purpose your office at Blagodatnaya st. was burnt twice.

If you don’t delete all references about atmskimmer viruses from your products and all products for ATM, the International carder syndicate will destroy Doctor Web’s offices throughout the world, In addition, syndicate will lobby the Prohibition of usage of Russian anti-viruses Law in countries that have representation offices of the syndicate under the pretext of protection against Russian intelligence service.”

After a third attack on the St. Petersburg office, a suspect who was seen running away from the scene of the attack was arrested but later released because no witnesses came forward to confirm he was the one who threw the bomb.

Meanwhile, Sharov said Dr.Web detected two physical intrusions into its Moscow office.

“This is an office where we have much more security than any other, but also many more visitors,” he said. “We had been on high alert after the fire bombings, and we’ve never had intrusions before and never had them after this. But during that period, we had three attempts to enter the perimeter and to do something bad, but I won’t go into details about that.”

Sharov said Dr.Web analysts believe the group that threatened the attacks were not cyber thieves themselves but instead an organized group of programmers that had sold — but not yet delivered — a crimeware product to multiple gangs that specialize in cashing out hacked ATM cards.

“We think this group got very nervous by the fact that we had published exactly what they’d done, and it was very untimely for them, they were really desperate,” Sharov said. “We believe our reports came out just after development of the ATM Trojan had finished but before it was released to customers.”

Sharov said he also believes that the group of malware programmers who sent the threats weren’t the same miscreants who threw the Molotov cocktails. Rather, Dr.Web maintains that those attacks were paid for and ordered over the Internet, for execution by strangers who answered a criminal help wanted ad.

“We are completely sure it was ordered [over the] Internet, through a black market where you can order almost any crime,” Sharov said, again declining to be more specific. “What we saw was some people from St. Petersburg throwing Molotov cocktails, running away from the guards. But those people were not from the IT criminal environment. All the attacks had been ordered by Internet. And since they never succeeded against our office, it showed us that not much money was paid for these attacks.”

Dr.Web believes the criminal programmers who hired the attacks on its properties and partners were operating out of Ukraine, in part because of the facts surrounding another fire in its Kiev office on April 14, 2014. Sharov said that fire was not started intentionally, but instead was the result of an electrical issue on a floor not occupied by Dr.Web.

“The fire squad came quickly and our office was just damaged a little bit by the water,” he recalled. “Very soon after that, we received another threat with a photograph of entrance to the Kiev office, and it said another fire was set there. That photograph gave away for us the fact that the team was somewhere in the Ukraine. Nobody had any published any photograph of the attacks on St. Petersburg or Moscow. The fact that they published that and tried to present the case that it was their [doing], they were not well informed.”

Not long after that incident, Sharov said his office got confirmation from a bank in Moscow that the team behind on the ATM Trojan that caused all the ruckus was operating out of Kiev, Ukraine.

In the 18 months since then, the number of ATM-specific Trojans has skyrocketed, although the attackers seem to be targeting mainly Russian, Eastern European and European banks with their creations. For more the spread and sophistication of ATM malware, see:

Spike in Malware Attacks on Aging ATMs

Thieves Planted Malware to Hack ATMs

Thieves ‘Jackpot’ ATMs With ‘Black Box’ Attack

Gang Hacked ATMs from Inside Banks

27 thoughts on “ATM Skimmer Gang Firebombed Antivirus Firm

  1. Tyler

    Any idea on what type of ATM’s they are targeting? There are 3 layers of software on any given ATM, I imagine their malware has to be pretty specific to work. Most likely targeting 1 model or 1 particular brand of ATM software.

  2. Chris Nielsen

    While I am located in the USA and have no connections with Russia, I am very motivated to donate some money to Dr. Web. I appreciate their stand against crime very much. Given their environment, it displays bravery I am not sure I would have in their situation.

    Thanks for reporting on this.

  3. IA Eng

    seems like the Russian cops didn’t do much to try to pin the act of the potential suspect. I am sure they could have recovered carbon and gas from the clothes that the crook wore, but since most cops seem to look the other way, the crook went free.

    Whooopie. Some one throws a single cocktail, which probably wasn’t very big, and did not hurt anything significant. It’s more drama than what its worth.

    If the programmers were a little smarter – if they truly indeed are programmers and not just a band of semi-intelligent thugs/gang members, they could have easily taken down the business with a long winded DDoS attack, which would have done more damage.

    1. BourneSupremacy

      I believe in what you state. If these guys had half a brain they’d be a lot more successful than they have been so far. These are probably 5-6 guys with a limited set of mediocre skills trying to make themselves out to be more than they actually are. If they were as “international” as they say they wouldn’t require the 3 stooges to carry out their cocktail throwing.

      1. SeymourB

        If these clowns had half a brain they wouldn’t be criminals.

  4. Mahhn

    LOL, Watch forensics experts from different companies come together to expose these punks. These dumb hackers are generating a huge trail to be tracked down. The more people they hire, the bigger the trail gets.
    Can’t wait to hear of these clowns getting ass raped in a Russian prison (since all the gays have been jailed).

  5. JCitizen

    Ukraine was a likely source of much computer related crime in the past; but now that Russia and Ukraine are in such a strained relationship, I will take any finger pointing with a grain of salt. Even if they are the source of the criminal activity, it is basically one criminal fighting another, so I kinda go Ho Hum!

    I’m not specifically blaming Dr. Web for anything, but to continue business in Russia, it seems like you have to pay the kleptocracy for protection to stay in business. The last bad news about Kaspersky zero day exploits just punctuates my point.

  6. jim

    Jay, I was thinking just the opposite. They are showing extreme signs of capitalistic endeavor. Cut throat to the end. The bad guys aren’t very smart, they would/should obtain a copy of the detection software that is traveling on them, and should be subverting it, or testing it on their unit to see how it’s detecting them, and the white hats should be individually numbering to see if the bad guys are smarter then the average bear.

  7. Jack Duggan

    Brian, I worry about your safety and that of your family in this regard–particularly after your expose’ of Mexican ATMs. I assume that you have taken appropriate precautions that I don’t wish to know about for obvious reasons..

  8. Liz

    I’m curious how it is that Dr. Web knew about the software prior to it being shippet to customers.

    1. BrianKrebs Post author

      I believe they said a version of it showed up on Not sure how the thieves would have made that mistake given the number of similar services that expressly do not share that info on virustotal, but there it is.

    2. emvguy

      I agree that this smells fishy. They obtained a software before it’s started being used. And this happens to be a vulnerability only known to Dr. Web and they only have the very vital cure for this very harmful virus. And some crooks threw molotov’s to buildings which are not even Dr. Web’s offices. Feels like this may even be their PR for announcing their ATM software.

  9. adfasdf

    this strikes me as an attempt to get publicity by a fledgling firm located in an area where it’s difficult or impossible for those in the West to confirm things. Reminds me of the stories about Kim Jong-un killing a guy by tossing him to wild dogs.

  10. Kyle

    “In the 18 months since then, the number of ATM-specific Trojans has skyrocketed, although the attackers seem to be targeting mainly Russian, Eastern European and European banks with their creations. For more the spread and sophistication of ATM malware…”

    the Russian gov doesn’t care much about cyber-attacks. But they DO when it’s against their own native banks. If this is true, they’ll be apprehended – one of the rarer scenarios in Russian cyber-law.

    1. IA Eng

      They’ll get picked up. The first question that will be asked is….where’s our cut? If they seem resistant, confused or clueless (which is not uncommon) they will stand in front of a so-called judge and they will “officially” take it.

    2. SeymourB

      It used to be that seeing a group screw up and target Russian citizens would be the last you’d hear about that group. Sadly that’s not the case anymore.

  11. Robert Scroggis

    I think I will make a donation to Dr. Web. I admire their courage and devotion to their products in such an unfriendly environment.


  12. Just a bot

    “””Each time, the damage was minimal, but it rattled company employees nonetheless.”””
    This is not going to end well . Hacker especially ATM hacker are not poor .They can hire people to use force and intimidation on Dr.Web employees and trust me there is no shortage of people in Russia/Chechnya/Dagestan/Uzbekistan/Tajikistan who will do it for couple of thousands euro .

  13. Jan Doggen

    There is one answer to these kinds of threats: distribute (copy) the information over as much other websites as possible.

    1. Vog Bedrog

      Chip & PIN addresses the issue of cloned cards, *only* once the magstripe is either phased out or no longer accepted anywhere. It has no impact on malware that targets ATMs rather than cards.

  14. parvez raton

    Thank you, great post and good info. I use IFTTT to to automate some tasks.
    Trello is a another helpful productivity, which I use on a daily basis. All the Best, Ralf

Comments are closed.