Attacks/Breaches

8/1/2018
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Feds Indict Three Ukrainians For Cyberattacks on 100+ Companies

Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov are senior members of the notorious FIN7 cybercrime group, aka the Carbanak Group.

US law enforcement Wednesday announced the arrests of three leading members of a prolific cybercrime group believed responsible for stealing data on some 15 million payment cards from more than 100 companies including Saks Fifth Avenue, Chipotle Mexican Grill, Arby's, and Red Robin.

Indictments unsealed today in the US District Court in Seattle identified Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, as members of FIN7, a hugely successful financial threat actor also known as the Carbanak Group.

The group is believed responsible for breaching some 6,500 point-of-sale terminals at more than 3,600 locations belonging to companies in 47 states in the US alone. Most of its victims have been from the hospitality, restaurant, and gaming industries. FIN7/Carbanak Group also claimed dozens of victims in the United Kingdom, France, and Australia.

In a fact sheet outlining the group's tactics, US prosecutors described FIN7 as one of the most "sophisticated and aggressive" threat actors in the world with dozens of operatives, a global C2 infrastructure, and an arsenal of sophisticated malware tools and tactics. It even established a front company called Combi Security to recruit hackers under the guise of being a legitimate penetration-testing firm. Among the many purported clients that Combi listed on its website were multiple US victims, prosecutors have alleged.

Fedorov, Hladyr, and Kolpakov each faces 26 felony counts related to wire fraud, computer hacking, access device fraud, aggravated identity theft, and conspiracy for their part on the massive criminal operation.

Hladyr, FIN7's alleged systems administrator and the individual supposedly responsible for maintaining the organization's servers and communication channels, was arrested in Dresden, Germany, earlier this year at the behest of US authorities. He is currently being detained in Seattle and will go to trail October 22.

Fedorov, described by prosecutors as a high-level FIN7 hacker and supervisor of individuals tasked with breaching victim networks, was arrested in Bielsko-Biala, Poland, earlier this year and is currently being held there pending extradition to the US.

Spanish authorities in June arrested Kolpakov in Lepe, Spain, where he remains detained pending a US request for his extradition.

The arrests and subsequent indictments mark a huge victory for law enforcement in the US and elsewhere. "The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise," said Jay Tabb, special agent in charge at the FBI's Seattle field office in a statement announcing the arrests.

Security vendor FireEye, which has been tracking FIN7 since 2015, described the group's activities as being primarily focused on payment card data theft. One of its most recent victims was Hudson's Bay—the owners of brands such as Saks and Lord & Taylor. The attack netted the group 5 million credit card records, which it later sold in underground markets. But not all of FIN7's attacks are payment card-related.

Earlier this year, researchers at FireEye discovered FIN7 targeting people at multiple organizations who were responsible for filing required company financial details with the US Securities and Exchange Commission. In that specific case, the goal appears to have been to try and steal information that would have helped the group profit through insider trading, FireEye said in a blog Wednesday.

When FIN7 has not been able to accomplish its initial goal of stealing payment card data from a victim organization, the group has also been observed going after finance department personnel at the same firm, FireEye says.

Personalized Hacks

FIN7's typical modus operandi has been to send highly sophisticated phishing emails to users at target organizations to try and get them to click on Word documents and other attachments with embedded malware. "Their phishing has often exploited urgent, high value business matters tailored to their chosen targets," FireEye said.

For example, FIN7 operatives have contacted managers at individual stores about being overcharged for something and attached a malicious document to it purporting to be the "receipt." When targeting a restaurant, the phishing email might refer to a food poisoning complaint and lure recipients to click on the malicious attachment to get more details. Often, FIN7 operatives have gone to the extent of placing phone calls to targeted individuals either before or after sending them a rouge email in an effort to lend greater credibility to their phishing lure.

Once a system is infected, FIN7 uses its C2 infrastructure to download an array of additional sophisticated malware tools for exfiltrating data, conducting surveillance, enabling lateral movement and carrying out other malicious activities. Some of the tools have the ability to take screen shots and make video recordings of user activity so FIN7 can locate and extract payment data, financial information, and other data of interest to the group.

FIN7's exceptional social engineering skills and methods to evade detection have contributed to its growth as a sophisticated cybercrime enterprise, said Kimberly Goody, manager of financial crime analysis at FireEye.

"Financially-motivated threat actors are becoming extremely advanced and are capable of inflicting significant harm on organizations through vast, carefully orchestrated campaigns," she said. "FIN7 is a prime example of this."

FireEye does not expect the arrests of Fedorov, Hladyr, and Kolpakov to necessarily lead to a cessation of FIN7's activities. What's more likely is that some of the remaining members will continue with the criminal operation using modified tactics, techniques, and procedures. It is also plausible that the group will split up into multiple smaller operations and carry out separate operations, FireEye said.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.