FIN7

Last updated
FIN7
Formation2015
TypeHacking
Affiliations BlackCat

FIN7, also called Carbon Spider, ELBRUS, or Sangria Tempest, [1] is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. [2] FIN7 is also associated with GOLD NIAGARA, ITG14, ALPHV and BlackCat. [3] [4]

History

In March 2017 FIN7 engaged in a spearfishing campaign of company employees involved with SEC filings. [5]

In August 2018 three members of FIN7 were charged by the United States Department of Justice for cybercrimes that impacted more than 100 U.S. companies. [6]

In November 2018 it was reported that FIN7 were behind data breaches of Red Robin, Chili's, Arby's, Burgerville, Omni Hotels and Saks Fifth Avenue. [7]

In March 2020, the FBI issued a warning that members of FIN7 have been targeting companies in the retail, restaurant, and hotel industries with BadUSB attacks designed to deliver REvil or BlackMatter ransomware. [8] Packages have been sent to employees in IT, executive management, and human resources departments. [8] One intended target was sent a package in the mail which contained a fake gift card from Best Buy as well as a USB flash drive with a letter stating that the recipient should plug the drive into their computer to access a list of items that could be purchased with the gift card. [8] [9] When tested, the USB drive emulated a keyboard, and then initiated a series of keystrokes which opened a PowerShell window and issued commands to download malware to the test computer, and then contacted servers in Russia. [8] [9]

In December 2020 it was reported that FIN7 may be a close collaborator of Ryuk. [10]

In April 2021 a "high-level manager" of FIN7 Fedir Hladyr from Ukraine was sentenced to 10 years of prison in the United States after he pleaded guilty to charges of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking. [11] [12]

In January 2022, the FBI issued a warning that members of FIN7 have been targeting transportation and insurance companies (since August 2021), and defense companies (since November 2021), with BadUSB attacks designed to deliver REvil and or BlackMatter ransomware. [13] [14] The intended targets were sent USB drives in packages claiming to be from Amazon or the United States Department of Health and Human Services, with letters talking about free gift cards or COVID-19 protocols that were purportedly further explained by information on the USB drive. [13] [14] When plugged in, the USB drives emulate a keyboard, and then initiate a series of keystrokes which open a PowerShell window and issue commands to download malware. [13] [14]

In 2021 the group began using software known as ALPHV written in Rust, which was offered to affiliates as Ransomware as a Service. [4] [15]

In February 2023 the group was named in the Irish High Court as being behind the Munster Technological University ransomware attack. [16]

Related Research Articles

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

In computer security, a wiper is a class of malware intended to erase the hard drive or other static memory of the computer it infects, maliciously deleting data and programs.

<span class="mw-page-title-main">BadUSB</span> Cybersecurity attack using USB devices

BadUSB is a computer security attack using USB devices that are programmed with malicious software. For example, USB flash drives can contain a programmable Intel 8051 microcontroller, which can be reprogrammed, turning a USB flash drive into a malicious device. This attack works by programming the fake USB flash drive to emulate a keyboard, which once plugged into a computer, is automatically recognized and allowed to interact with the computer, and can then initiate a series of keystrokes which open a command window and issue commands to download malware.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine. The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade. In 2021, the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement.

<span class="mw-page-title-main">Anomali</span> American cybersecurity company

Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing Security Analytics powered by AI.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Trickbot is a trojan for Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

Conti is a ransomware hacker group that has been observed since 2020, believed to be distributed by a Russia-based group. It operates as a ransomware-as-a-service (RaaS), enabling other cybercriminals to deploy this malware for their own purposes. Conti is particularly known for its utilization of double extortion techniques, where it not only encrypts victim's files but also steals and threatens to publish sensitive data if the ransom is not paid.

Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest, is a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.

<span class="mw-page-title-main">Lockbit</span> Criminal hacking organization

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.

References

  1. "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
  2. "Fin7: The Billion-Dollar Hacking Group Behind a String of Big Breaches". Wired. ISSN   1059-1028 . Retrieved 2021-03-15.
  3. "FIN7, GOLD NIAGARA, ITG14, Carbon Spider, Group G0046 | MITRE ATT&CK®". attack.mitre.org. Retrieved 2022-03-01.
  4. 1 2 Scroxton, Alex (2022-09-22). "ALPHV/BlackCat ransomware family becoming more dangerous". Computer Weekly . Retrieved 2023-02-12.
  5. "FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings". FireEye. Archived from the original on 2021-04-19. Retrieved 2021-03-15.
  6. "Three Members of Notorious International Cybercrime Group "Fin7" In Custody for Role in Attacking Over 100 U.S. companies". www.justice.gov. 2018-08-01. Retrieved 2021-03-15.
  7. Gorelik, Michael. "FIN7 Not Finished – Morphisec Spots New Campaign". blog.morphisec.com. Retrieved 2021-03-15.
  8. 1 2 3 4 Ilascu, Ionut (2020-03-27). "FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS". Bleeping Computer . This is not a one-off incident, though. The FBI warns that FIN7 has mailed these packages via USPS to numerous businesses (retail, restaurant, hotel industry) where they target employees in human resources, IT, or executive management departments. These packages sometimes include "gifts" like teddy bears or gift cards. These USB drives are configured to emulate keystrokes that launch a PowerShell command to retrieve malware from server controlled by the attacker. Then, the USB device contacts domains or IP‌ addresses in Russia.
  9. 1 2 Cimpanu, Catalin (March 26, 2020). "Rare BadUSB attack detected in the wild against US hospitality provider". ZDNet . Archived from the original on 2020-03-26. Retrieved 2021-09-07.
  10. "Collaboration between FIN7 and the RYUK group, a Truesec Investigation". TRUESEC Blog. 2020-12-22. Retrieved 2021-03-15.
  11. "High-level organizer of notorious hacking group FIN7 sentenced to ten years in prison for scheme that compromised tens of millions of debit and credit cards". www.justice.gov. 2021-04-16. Retrieved 2021-04-22.
  12. Palmer, Danny. "'High-level' organiser of FIN7 hacking group sentenced to 10 years in prison". ZDNet. Retrieved 2021-04-22.
  13. 1 2 3 Gatlan, Sergiu (2022-01-07). "FBI: Hackers use BadUSB to target defense firms with ransomware". Bleeping Computer . FIN7 operators impersonated Amazon and the US Department of Health & Human Services (HHS) to trick the targets into opening the packages and connecting the USB drives to their systems. Since August, reports received by the FBI say that these malicious packages also contain letters about COVID-19 guidelines or counterfeit gift cards and forged thank you notes, depending on the impersonated entity.
  14. 1 2 3 Tung, Liam (2022-01-10). "Ransomware warning: Cyber criminals are mailing out USB drives that install malware". ZDNET .
  15. "2022-004: ACSC Ransomware Profile – ALPHV (aka BlackCat)". Australian Cyber Security Centre . 2022-04-14. Retrieved 2023-02-12.
  16. Moore, Jane; O'Connor, Niall. "MTU Cork confirms hackers have encrypted university data and demanded a ransom". TheJournal.ie .
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.