The Fin7 hacking group has leeched, by at least one estimate, well over a billion dollars from companies around the world. In the United States alone, Fin7 has stolen more than 15 million credit card numbers from over 3,600 business locations. On Wednesday, the Justice Department revealed that it had arrested three alleged members of the group—and even more important, detailed how it operates.
The indictments allege that three Ukrainian nationals—Dmytro Fedorov, Fedir Hladyr, and Andrii Kopakov—are members of Fin7, contributing to the group’s years-long reign as one of the most sophisticated, and aggressive, financially motivated hacking organizations in the world. Each has been charged with 26 felony counts, ranging from conspiracy to wire fraud to computer hacking to identity theft.
The three men allegedly had high-profile roles in Fin7: Hladyr as its systems administrator, and Fedorov and Kopakov as supervisors to groups of hackers. And although Fin7 has continued to operate since they entered custody—Hladyr and Fedorov in January, and Kolpakov in June—the arrests do mark law enforcement’s first win against the shadowy cybercrime empire.
“This investigation continues. We are under no illusion that we have taken this group down altogether. But we have made a significant impact,” said US attorney Annette Hayes at a press conference announcing the indictments. “These hackers think they can hide behind keyboards in faraway places, and that they can escape the long arm of United States law. I’m here to tell you, and I think this announcement makes clear, that they cannot do that.”
The DoJ’s announcement, along with a new report by security firm FireEye, also gives unprecedented insight into how, and at what level, Fin7 operates. “They’ve brought a lot of techniques that we usually see associated with a state-sponsored attacker into the financial attacker realm,” says Barry Vengerik, a threat analyst at FireEye and coauthor of the Fin7 report. “They’re applying a level of sophistication that we’re not used to really seeing from financially motivated actors.”
On or around March 27 of last year, an employee at a Red Robin Gourmet Burgers and Brews received an email from firstname.lastname@example.org. The note complained about a recent experience; it urged the recipient to open the attachment for further details. They did. Within days, Fin7 had mapped Red Robin’s internal network. Within a week, it had obtained a username and password for the restaurant’s point-of-sale software management tool. And inside of two weeks, a Fin7 member allegedly uploaded a file containing hundreds of usernames and passwords for 798 Red Robin locations, along with “network information, telephone communications, and locations of alarm panels within restaurants,” according to the DoJ.
‘We are under no illusion that we have taken this group down altogether. But we have made a significant impact.’
US Attorney Annette Hayes
The Fin7 indictment alleges nine other incidents in addition to Red Robin, and each follows roughly the same playbook. It starts with an email. It looks innocuous enough: a reservation inquiry sent to a hotel, say, or a catering company receiving an order. It doesn’t necessarily even have an attachment. Just another client or customer reaching out with a question or concern.
Then, either in that first outreach or after a few emails back and forth, comes the request: Please see the attached Word doc or rich text file, it has all the pertinent information. And if you don’t open it—or maybe before you even receive it—someone gives you a phone call, as well, reminding you to.
“When targeting a hotel chain or restaurant chain, a conspirator would make a follow-up call falsely claiming that the details of a reservation request, catering order, or customer complaint could be found in the file attached to the previously delivered email,” the indictment says.
FireEye mentions one restaurant target who received a “list of inspections and checks scheduled to take place,” on convincing FDA letterhead. An email to a hotel victim might claim to contain a picture of a bag someone left behind in a room. The approaches varied. And while “don’t open attachments from strangers” is the first rule of not getting phished, Fin7 targeted organizations that need to do just that in the regular course of business.
“Hi, my name’s James Anhril i want to make a takeout order for tomorrow for 11am. The enclosed file contains the order and my personal info. Click on edit at the top of the page and than [sic] double click to unlock content,” reads an example phishing email released by the DoJ. Each message was not only tailored to the specific business, it often was sent directly to the individual who would normally field that kind of request. In at least one instance, FireEye says, Fin7 even filled out a retailer’s web form to lodge a complaint; the victim made the first email contact.
And when targets did click, as one might assume, they downloaded malware onto their machines. Specifically, Fin7 hit them with a tailored version of Carbanak, which first emerged several years ago in a spate of lucrative attacks on banks. According to the indictment, the hackers would ensnare the compromised machine in a botnet, and through its command and control centers they would exfiltrate files, compromise other computers on the same network as the victim, and even capture screenshots and video of the workstation to steal credentials and other potentially valuable information.
Most of all, Fin7 stole payment card data, often by compromising point-of-sale hardware at companies like Chipotle, Chili’s, and Arby’s. The group allegedly stole millions of payment card numbers, and later offered them for sale on black market websites like Joker’s Stash.
“If we’re talking about scale, the number of affected victim organizations that we’ve worked with, then they’re definitely the largest,” Vengerik says. But even more impressive than the organization’s breadth might be its sophistication.
The most astonishing detail from Wednesday’s indictment centers less around the outcomes of Fin7’s sustained hacking spree, and more the lengths it went to both achieve and conceal it.
“FIN7 used a front company, Combi Security, purportedly headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise,” wrote the Justice Department in a press release. “Ironically, the sham company’s website listed multiple US victims among its purported clients.”
‘To invent your own techniques, it’s just sort of next level.’
Nick Carr, FireEye
That website has been listed as for sale since at least March, according to an archived version of the page. What’s unclear is whether the computer programmers Combi Security recruited realized that their activities weren’t on the level. Industry-standard penetration testing, after all, looks a whole lot like hacking, just with a target company’s blessing. “They would be handling the initial compromise and different stages, without maybe knowing the true purpose of their intrusions,” says Nick Carr, senior manager at FireEye and coauthor of the company’s latest Fin7 report.
The indictment also further outlines Fin7’s structure and activities. Members would often communicate through a private HipChat server, it says, and numerous private HipChat rooms, in which they would “collaborate on malware and victim business intrusions,” as well as share stolen credit card data. They allegedly used another Atlassian program, Jira, for project management purposes, tracking details of the intrusion, maps of networks, and stolen data.
While it’s still not clear how many people comprise Fin7—the indictment claims “dozens of members with diverse skillsets”—its organizational prowess appears to match or exceed many companies. And its hacking skills are of a caliber usually reserved for nation-state groups.
“We were actively responding to intrusions in networks and investigating past activity, and at the same time seeing them develop new behaviors,” Carr says. “To invent your own techniques, it’s just sort of next level.”
Those techniques range from a new form of command line obfuscation to a novel method of persistent access. Most of all, Fin7 seems capable of switching up its methods on a daily basis—and of rotating its targets at opportune times, shifting from banking to hotels to restaurants with ease. The DoJ indictment says the hackers recently targeted staffers at companies who handle Securities and Exchange Commission filings, an apparent bid to get an advanced look at market-moving intel.
And FireEye says it has already seen the group apparently move its focus to financial institution customers in Europe and Central Asia. Or maybe they’re splinter groups using similar techniques; despite the new spotlight from the Justice Department, there’s still only so much visibility.
Three arrests won’t stop an operation this sophisticated or wide-ranging. But the deepest look yet into the group’s techniques might at least help future victims head off Fin7 before it strikes next.