![](\"https:\/\/media.wired.com\/photos\/5b62097e798e620b765a82ae\/master\/pass\/creditcards-949126662.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Wed, 01 Aug 2018 22:06:13 +0000<\/strong><\/p>\n The Fin7 hacking <\/span>group has leeched, by at least one estimate<\/a>, well over a billion dollars from companies around the world. In the United States alone, Fin7 has stolen more than 15 million credit card numbers from over 3,600 business locations. On Wednesday, the Justice Department revealed<\/a> that it had arrested three alleged members of the group\u2014and even more important, detailed how it operates.<\/p>\n The indictments<\/a> allege that three Ukrainian nationals\u2014Dmytro Fedorov, Fedir Hladyr, and Andrii Kopakov\u2014are members of Fin7, contributing to the group\u2019s years-long reign as one of the most sophisticated, and aggressive, financially motivated hacking organizations in the world. Each has been charged with 26 felony counts, ranging from conspiracy to wire fraud to computer hacking to identity theft.<\/p>\n The three men allegedly had high-profile roles in Fin7: Hladyr as its systems administrator, and Fedorov and Kopakov as supervisors to groups of hackers. And although Fin7 has continued to operate since they entered custody\u2014Hladyr and Fedorov in January, and Kolpakov in June\u2014the arrests do mark law enforcement\u2019s first win against the shadowy cybercrime empire.<\/p>\n \u201cThis investigation continues. We are under no illusion that we have taken this group down altogether. But we have made a significant impact,\u201d said US attorney Annette Hayes at a press conference announcing the indictments. \u201cThese hackers think they can hide behind keyboards in faraway places, and that they can escape the long arm of United States law. I\u2019m here to tell you, and I think this announcement makes clear, that they cannot do that.\u201d<\/p>\n The DoJ's announcement, along with a new report<\/a> by security firm FireEye, also gives unprecedented insight into how, and at what level, Fin7 operates. \u201cThey\u2019ve brought a lot of techniques that we usually see associated with a state-sponsored attacker into the financial attacker realm,\u201d says Barry Vengerik, a threat analyst at FireEye and coauthor of the Fin7 report. \u201cThey\u2019re applying a level of sophistication that we\u2019re not used to really seeing from financially motivated actors.\u201d<\/p>\n On or around March 27 of last year, an employee at a Red Robin Gourmet Burgers and Brews received an email from ray.donovan84@yahoo.com. The note complained about a recent experience; it urged the recipient to open the attachment for further details. They did. Within days, Fin7 had mapped Red Robin\u2019s internal network. Within a week, it had obtained a username and password for the restaurant\u2019s point-of-sale software management tool. And inside of two weeks, a Fin7 member allegedly uploaded a file containing hundreds of usernames and passwords for 798 Red Robin locations, along with \u201cnetwork information, telephone communications, and locations of alarm panels within restaurants,\u201d according to the DoJ.<\/p>\n 'We are under no illusion that we have taken this group down altogether. But we have made a significant impact.'<\/p>\n US Attorney Annette Hayes<\/p>\n The Fin7 indictment alleges nine other incidents in addition to Red Robin, and each follows roughly the same playbook. It starts with an email. It looks innocuous enough: a reservation inquiry sent to a hotel, say, or a catering company receiving an order. It doesn\u2019t necessarily even have an attachment. Just another client or customer reaching out with a question or concern.<\/p>\n Then, either in that first outreach or after a few emails back and forth, comes the request: Please see the attached Word doc or rich text file, it has all the pertinent information. And if you don\u2019t open it\u2014or maybe before you even receive it\u2014someone gives you a phone call, as well, reminding you to.<\/p>\n \u201cWhen targeting a hotel chain or restaurant chain, a conspirator would make a follow-up call falsely claiming that the details of a reservation request, catering order, or customer complaint could be found in the file attached to the previously delivered email,\u201d the indictment says.<\/p>\n FireEye mentions one restaurant target who received a \u201clist of inspections and checks scheduled to take place,\u201d on convincing FDA letterhead. An email to a hotel victim might claim to contain a picture of a bag someone left behind in a room. The approaches varied. And while \u201cdon\u2019t open attachments from strangers\u201d is the first rule of not getting phished<\/a>, Fin7 targeted organizations that need to do just that in the regular course of business.<\/p>\n \u201cHi, my name\u2019s James Anhril i want to make a takeout order for tomorrow for 11am. The enclosed file contains the order and my personal info. Click on edit at the top of the page and than [sic<\/em>] double click to unlock content,\u201d reads an example phishing email released by the DoJ. Each message was not only tailored to the specific business, it often was sent directly to the individual who would normally field that kind of request. In at least one instance, FireEye says, Fin7 even filled out a retailer\u2019s web form to lodge a complaint; the victim made the first email contact.<\/p>\n And when targets did click, as one might assume, they downloaded malware onto their machines. Specifically, Fin7 hit them with a tailored version of Carbanak, which first emerged several years ago in a spate of lucrative attacks<\/a> on banks. According to the indictment, the hackers would ensnare the compromised machine in a botnet, and through its command and control centers they would exfiltrate files, compromise other computers on the same network as the victim, and even capture screenshots and video of the workstation to steal credentials and other potentially valuable information.<\/p>\n Most of all, Fin7 stole payment card data, often by compromising point-of-sale hardware at companies like Chipotle, Chili\u2019s, and Arby\u2019s. The group allegedly stole millions of payment card numbers, and later offered them for sale on black market websites like Joker\u2019s Stash.<\/p>\n \u201cIf we\u2019re talking about scale, the number of affected victim organizations that we\u2019ve worked with, then they\u2019re definitely the largest,\u201d Vengerik says. But even more impressive than the organization\u2019s breadth might be its sophistication.<\/p>\n The most astonishing detail from Wednesday\u2019s indictment centers less around the outcomes of Fin7\u2019s sustained hacking spree, and more the lengths it went to both achieve and conceal it.<\/p>\n \u201cFIN7 used a front company, Combi Security, purportedly headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise,\u201d wrote the Justice Department in a press release. \u201cIronically, the sham company\u2019s website listed multiple US victims among its purported clients.\u201d<\/p>\n 'To invent your own techniques, it\u2019s just sort of next level.'<\/p>\n Nick Carr, FireEye<\/p>\n That website has been listed as for sale since at least March, according to an archived version<\/a> of the page. What\u2019s unclear is whether the computer programmers Combi Security recruited realized that their activities weren\u2019t on the level. Industry-standard penetration testing, after all, looks a whole lot like hacking, just with a target company\u2019s blessing. \u201cThey would be handling the initial compromise and different stages, without maybe knowing the true purpose of their intrusions,\u201d says Nick Carr, senior manager at FireEye and coauthor of the company\u2019s latest Fin7 report.<\/p>\n The indictment also further outlines Fin7\u2019s structure and activities. Members would often communicate through a private HipChat server, it says, and numerous private HipChat rooms, in which they would \u201ccollaborate on malware and victim business intrusions,\u201d as well as share stolen credit card data. They allegedly used another Atlassian program, Jira, for project management purposes, tracking details of the intrusion, maps of networks, and stolen data.<\/p>\n While it\u2019s still not clear how many people comprise Fin7\u2014the indictment claims \u201cdozens of members with diverse skillsets\u201d\u2014its organizational prowess appears to match or exceed many companies. And its hacking skills are of a caliber usually reserved for nation-state groups.<\/p>\n \u201cWe were actively responding to intrusions in networks and investigating past activity, and at the same time seeing them develop new behaviors,\u201d Carr says. \u201cTo invent your own techniques, it\u2019s just sort of next level.\u201d<\/p>\n Those techniques range from a new form of command line obfuscation<\/a> to a novel method of persistent access<\/a>. Most of all, Fin7 seems capable of switching up its methods on a daily basis\u2014and of rotating its targets at opportune times, shifting from banking to hotels to restaurants with ease. The DoJ indictment says the hackers recently targeted staffers at companies who handle Securities and Exchange Commission filings, an apparent bid to get an advanced look at market-moving intel.<\/p>\n And FireEye says it has already seen the group apparently move its focus to financial institution customers in Europe and Central Asia. Or maybe they\u2019re splinter groups using similar techniques; despite the new spotlight from the Justice Department, there\u2019s still only so much visibility.<\/p>\n Three arrests won't stop an operation this sophisticated or wide-ranging. But the deepest look yet into the group\u2019s techniques might at least help future victims head off Fin7 before it strikes next.<\/p>\n