[German]International investigators and law enforcement (FBI, Europool, German LKA, etc.) have succeeded in identifying members of a cybergang that operated under the names "DoppelSpider" and "DoppelPaymer". The cybergang was responsible for ransomware attacks on companies and the University Hospital in Düsseldorf or the UK health system. Multiple targets in Germany and Ukraine has been raided last Tuesday. Law enforcement also issued international arrest warrants for three suspects with Russian backgrounds.
Advertising
I heard it briefly on the news on the radio, in the meantime there is also an announcement from the State Criminal Police Office of North Rhine-Westphalia and from Europool. Specialists of the NRW police, under the leadership of the North Rhine-Westphalia State Criminal Police Office (LKA NRW), in cooperation with Europol, the Federal Bureau of Investigation (FBI), the Dutch and the Ukrainian police, have succeeded in striking a blow against an internationally operating network of cybercriminals. Under the direction of the Central and Contact Point Cybercrime (ZAC NRW), investigators simultaneously searched several properties in Germany and Ukraine last Tuesday.
The DoubleSpider / DoublePaymer Gang
The cybercriminals operated in a gang known by various names such as DoubleSpider or DoublePaymer. The criminal group, which also calls itself "Indrik Spider" or "Double Spider," is responsible in Germany for, among other things, the extortion of the Düsseldorf University Hospital (see Düsseldorfer Uniklinik: IT-Ausfall durch Cyberangriff?), the cyber attacks against the Funke Media Group (see Funke-Mediengruppe Opfer eines Cyberangriffs) and other well-known companies in 2020.
The gang is accused of commercial digital extortion and computer sabotage. Using malware, so-called ransomware (BitPaymer, DoppelPaymer, PayOrGrief, Entropy), the perpetrators gained digital access to the computers of the affected companies, accessed data and then threatened to misuse it, combined with demands for money.
In some cases, over 600 victims worldwide were extorted sums in the tens of millions. The first attack of this type to become known was directed against the United Kingdom (UK) healthcare system in May 2017. Further cyberattacks on the digital infrastructure of a wide range of companies and institutions followed worldwide.
Investigative Commission "Parker" Strikes
In view of the attacks, the "Parker" investigation commission (EK) was established in Germany at the North Rhine-Westphalia Regional Criminal Police Office (LKA). Through the investigative commission "Parker" of the LKA NRW, together with the ZAC NRW, the investigations for all nationwide cases are conducted centrally as well as the investigations against the grouping are coordinated worldwide together with Europol.
Advertising
Since June 2020, the cybercrime specialists of the LKA NRW have been on the trail of the internationally operating cyber criminals. The specially established investigation commission (EK) "Parker" has now been able to identify the masterminds as well as other members of the ransomware group "DoppelSpider"/"DoppelPaymer".
In a targeted action, search warrants were executed simultaneously in Germany and Ukraine. In an action on Tuesday, Feb. 28, 2023, the EK "Parker" searched several properties in NRW, while at the same time investigators in Ukraine took action against identified members of the network.
In addition, the ZAC NRW issued arrest warrants against suspected masterminds of the criminal grouping with ties to Russia. With arrest warrants (Turashev, Zemlianikina and Garshin), law enforcement agencies are now searching worldwide for an initial three suspects.
- lgor Olegovich Turashev is suspected of having played a significant role in cyberattacks on German companies. The wanted man acted as the administrator of the IT infrastructure and malware used for the attacks.
- According to current investigations, Irina Zemlianikina is also jointly responsible for several cyberattacks on German companies. In particular, she administered the chat and leaking sites used for the perpetrators' communication with their victims and for publishing stolen data. It also sent e-mails with malware attached in order to infect systems with encryption software.
- Igor Garshin (alternatively: Garshin) is suspected of being one of the main perpetrators of cyber attacks, not least on German companies, through spying, infiltration as well as the final encryption of data.
Europol has placed the cyber criminals on its "Europe's most wanted" list. In addition to Europol and the FBI, the High-Tech Crime Unit of the Dutch police and the police in Ukraine are also decisively involved in the investigations and operational measures. The "Parker" investigative commission, which is part of the Cybercrime Department of the North Rhine-Westphalia Regional Criminal Police Office, is continuing its investigations in good cooperation with security authorities worldwide in the fight against cybercrime.
"The trial shows that cybercrime is international crime – on the part of both perpetrators and victims. Perpetrators attack infrastructures worldwide to extort ransoms for data." Markus Hartmann, head of ZAC NRW, assesses the current state of investigations. "However, the current investigative success also shows that we as law enforcement are capable of acting internationally." Addition: The collegues at Bleeping Computer has some more details about the raid.
