FBI indictments unsealed Wednesday detailed the alleged crimes of three members of the FIN7 cybercrime gang who have been arrested and are in custody in Seattle.
Ukrainian nationals Dmytro Fedorov, Fedir Hladyr and Andrii Kopakov were arrested by the FBI and are in custody. Each has been charged with 26 federal offenses, including conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.
The FBI described the three hackers as “high-ranking members” of the FIN7 cybercrime organization — also known as the Carbanak Group — in a press release. The FIN7 group has been connected with attacks on more than 100 businesses and data breaches across 47 states in which “more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations” were stolen.
The FBI admitted it didn’t expect FIN7 to disappear following these arrests, but framed the indictments as a major blow to the group.
“The naming of these FIN7 leaders marks a major step toward dismantling this sophisticated criminal enterprise,” Jay Tabb, special agent in charge of the FBI’s Seattle field office, said in a statement. “As the lead federal agency for cyber-attack investigations, the FBI will continue to work with its law enforcement partners worldwide to pursue the members of this devious group, and hold them accountable for stealing from American businesses and individuals.”
However, security vendor FireEye wrote in a blog post that while FIN7 may pause activity for a short time, the group would continue in one form or another.
“Depending on the organizational and communication structure of the group, it is also plausible that multiple subgroups could form and carry out independent operations in the future. Recent campaigns, as well as those using tactics that were atypical for historical FIN7 campaigns, such as the SEC [Securities and Exchange Commission] campaigns with widespread targeting, may be representative of semi-autonomous groups pre-existing within, or cooperating with, the FIN7 criminal organization,” FireEye researchers wrote. “Certain malware families and techniques transcend strictly defined threat groups, and may be re-used by developers and operators as they transition between organizations and campaigns.”
According to the FBI announcement, FIN7 primarily targeted companies in the “restaurant, gaming and hospitality industries,” across the U.S., U.K., France and Australia. The FBI described FIN7’s methods as using spear phishing, adding that the group “accompanied emails with telephone calls intended to further legitimize the email” in order to trick users into installing Carbanak malware.
FireEye expanded on this based on its history of FIN7 activity, saying the group was connected to attacks across the U.S. and Europe in the hospitality, restaurant, travel, education, gaming, construction, energy, retail, finance, telecom, high-tech, government, software and business service industries.
Kimberly Goody, cybercrime analysis manager at FireEye, based in Milpitas, Calif., also clarified the distinction between Carbanak malware and the commonly used Carbanak Group name via Twitter.
We’ve previously reported that there are multiple sets of activity that have employed CARBANAK malware. One of these activity sets is FIN7. Calling a group by a malware name isn’t a best practice, as multiple actors/groups could be using it and thus causes confusion.
— Kimberly (@tiskimber)
August 1, 2018
The FBI noted that FIN7 even made attempts to appear legitimate.
“FIN7 used a front company, Combi Security, purportedly headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise,” the FBI wrote. “Combi Security’s website indicated that it provided a number of security services such as penetration testing. Ironically, the sham company’s website listed multiple U.S. victims among its purported clients.”
FireEye confirmed some of FIN7’s job postings through Combi Security.
“While the recruitment of unwitting individuals as puppets has been a common component of at least some criminal schemes — for example, reshipping mules who are recruited through postings on career sites advertising attractive work-from-home jobs — FIN7’s veiling of full-scale financial compromises as legitimate offensive security engagements is particularly notable,” FireEye researchers wrote. “The apparent success of Combi Security in recruiting unsuspecting individuals in this manner, may lead to more of this type of technical recruitment by cyber criminals in the future.”