Attacks/Breaches

8/1/2018
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Feds Indict Three Ukrainians For Cyberattacks on 100+ Companies

Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov are senior members of the notorious FIN7 cybercrime group, aka the Carbanak Group.

US law enforcement Wednesday announced the arrests of three leading members of a prolific cybercrime group believed responsible for stealing data on some 15 million payment cards from more than 100 companies including Saks Fifth Avenue, Chipotle Mexican Grill, Arby's, and Red Robin.

Indictments unsealed today in the US District Court in Seattle identified Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, as members of FIN7, a hugely successful financial threat actor also known as the Carbanak Group.

The group is believed responsible for breaching some 6,500 point-of-sale terminals at more than 3,600 locations belonging to companies in 47 states in the US alone. Most of its victims have been from the hospitality, restaurant, and gaming industries. FIN7/Carbanak Group also claimed dozens of victims in the United Kingdom, France, and Australia.

In a fact sheet outlining the group's tactics, US prosecutors described FIN7 as one of the most "sophisticated and aggressive" threat actors in the world with dozens of operatives, a global C2 infrastructure, and an arsenal of sophisticated malware tools and tactics. It even established a front company called Combi Security to recruit hackers under the guise of being a legitimate penetration-testing firm. Among the many purported clients that Combi listed on its website were multiple US victims, prosecutors have alleged.

Fedorov, Hladyr, and Kolpakov each faces 26 felony counts related to wire fraud, computer hacking, access device fraud, aggravated identity theft, and conspiracy for their part on the massive criminal operation.

Hladyr, FIN7's alleged systems administrator and the individual supposedly responsible for maintaining the organization's servers and communication channels, was arrested in Dresden, Germany, earlier this year at the behest of US authorities. He is currently being detained in Seattle and will go to trail October 22.

Fedorov, described by prosecutors as a high-level FIN7 hacker and supervisor of individuals tasked with breaching victim networks, was arrested in Bielsko-Biala, Poland, earlier this year and is currently being held there pending extradition to the US.

Spanish authorities in June arrested Kolpakov in Lepe, Spain, where he remains detained pending a US request for his extradition.

The arrests and subsequent indictments mark a huge victory for law enforcement in the US and elsewhere. "The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise," said Jay Tabb, special agent in charge at the FBI's Seattle field office in a statement announcing the arrests.

Security vendor FireEye, which has been tracking FIN7 since 2015, described the group's activities as being primarily focused on payment card data theft. One of its most recent victims was Hudson's Bay—the owners of brands such as Saks and Lord & Taylor. The attack netted the group 5 million credit card records, which it later sold in underground markets. But not all of FIN7's attacks are payment card-related.

Earlier this year, researchers at FireEye discovered FIN7 targeting people at multiple organizations who were responsible for filing required company financial details with the US Securities and Exchange Commission. In that specific case, the goal appears to have been to try and steal information that would have helped the group profit through insider trading, FireEye said in a blog Wednesday.

When FIN7 has not been able to accomplish its initial goal of stealing payment card data from a victim organization, the group has also been observed going after finance department personnel at the same firm, FireEye says.

Personalized Hacks

FIN7's typical modus operandi has been to send highly sophisticated phishing emails to users at target organizations to try and get them to click on Word documents and other attachments with embedded malware. "Their phishing has often exploited urgent, high value business matters tailored to their chosen targets," FireEye said.

For example, FIN7 operatives have contacted managers at individual stores about being overcharged for something and attached a malicious document to it purporting to be the "receipt." When targeting a restaurant, the phishing email might refer to a food poisoning complaint and lure recipients to click on the malicious attachment to get more details. Often, FIN7 operatives have gone to the extent of placing phone calls to targeted individuals either before or after sending them a rouge email in an effort to lend greater credibility to their phishing lure.

Once a system is infected, FIN7 uses its C2 infrastructure to download an array of additional sophisticated malware tools for exfiltrating data, conducting surveillance, enabling lateral movement and carrying out other malicious activities. Some of the tools have the ability to take screen shots and make video recordings of user activity so FIN7 can locate and extract payment data, financial information, and other data of interest to the group.

FIN7's exceptional social engineering skills and methods to evade detection have contributed to its growth as a sophisticated cybercrime enterprise, said Kimberly Goody, manager of financial crime analysis at FireEye.

"Financially-motivated threat actors are becoming extremely advanced and are capable of inflicting significant harm on organizations through vast, carefully orchestrated campaigns," she said. "FIN7 is a prime example of this."

FireEye does not expect the arrests of Fedorov, Hladyr, and Kolpakov to necessarily lead to a cessation of FIN7's activities. What's more likely is that some of the remaining members will continue with the criminal operation using modified tactics, techniques, and procedures. It is also plausible that the group will split up into multiple smaller operations and carry out separate operations, FireEye said.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.