Attacks/Breaches

8/1/2018
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Feds Indict Three Ukrainians For Cyberattacks on 100+ Companies

Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov are senior members of the notorious FIN7 cybercrime group, aka the Carbanak Group.

US law enforcement Wednesday announced the arrests of three leading members of a prolific cybercrime group believed responsible for stealing data on some 15 million payment cards from more than 100 companies including Saks Fifth Avenue, Chipotle Mexican Grill, Arby's, and Red Robin.

Indictments unsealed today in the US District Court in Seattle identified Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, as members of FIN7, a hugely successful financial threat actor also known as the Carbanak Group.

The group is believed responsible for breaching some 6,500 point-of-sale terminals at more than 3,600 locations belonging to companies in 47 states in the US alone. Most of its victims have been from the hospitality, restaurant, and gaming industries. FIN7/Carbanak Group also claimed dozens of victims in the United Kingdom, France, and Australia.

In a fact sheet outlining the group's tactics, US prosecutors described FIN7 as one of the most "sophisticated and aggressive" threat actors in the world with dozens of operatives, a global C2 infrastructure, and an arsenal of sophisticated malware tools and tactics. It even established a front company called Combi Security to recruit hackers under the guise of being a legitimate penetration-testing firm. Among the many purported clients that Combi listed on its website were multiple US victims, prosecutors have alleged.

Fedorov, Hladyr, and Kolpakov each faces 26 felony counts related to wire fraud, computer hacking, access device fraud, aggravated identity theft, and conspiracy for their part on the massive criminal operation.

Hladyr, FIN7's alleged systems administrator and the individual supposedly responsible for maintaining the organization's servers and communication channels, was arrested in Dresden, Germany, earlier this year at the behest of US authorities. He is currently being detained in Seattle and will go to trail October 22.

Fedorov, described by prosecutors as a high-level FIN7 hacker and supervisor of individuals tasked with breaching victim networks, was arrested in Bielsko-Biala, Poland, earlier this year and is currently being held there pending extradition to the US.

Spanish authorities in June arrested Kolpakov in Lepe, Spain, where he remains detained pending a US request for his extradition.

The arrests and subsequent indictments mark a huge victory for law enforcement in the US and elsewhere. "The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise," said Jay Tabb, special agent in charge at the FBI's Seattle field office in a statement announcing the arrests.

Security vendor FireEye, which has been tracking FIN7 since 2015, described the group's activities as being primarily focused on payment card data theft. One of its most recent victims was Hudson's Bay—the owners of brands such as Saks and Lord & Taylor. The attack netted the group 5 million credit card records, which it later sold in underground markets. But not all of FIN7's attacks are payment card-related.

Earlier this year, researchers at FireEye discovered FIN7 targeting people at multiple organizations who were responsible for filing required company financial details with the US Securities and Exchange Commission. In that specific case, the goal appears to have been to try and steal information that would have helped the group profit through insider trading, FireEye said in a blog Wednesday.

When FIN7 has not been able to accomplish its initial goal of stealing payment card data from a victim organization, the group has also been observed going after finance department personnel at the same firm, FireEye says.

Personalized Hacks

FIN7's typical modus operandi has been to send highly sophisticated phishing emails to users at target organizations to try and get them to click on Word documents and other attachments with embedded malware. "Their phishing has often exploited urgent, high value business matters tailored to their chosen targets," FireEye said.

For example, FIN7 operatives have contacted managers at individual stores about being overcharged for something and attached a malicious document to it purporting to be the "receipt." When targeting a restaurant, the phishing email might refer to a food poisoning complaint and lure recipients to click on the malicious attachment to get more details. Often, FIN7 operatives have gone to the extent of placing phone calls to targeted individuals either before or after sending them a rouge email in an effort to lend greater credibility to their phishing lure.

Once a system is infected, FIN7 uses its C2 infrastructure to download an array of additional sophisticated malware tools for exfiltrating data, conducting surveillance, enabling lateral movement and carrying out other malicious activities. Some of the tools have the ability to take screen shots and make video recordings of user activity so FIN7 can locate and extract payment data, financial information, and other data of interest to the group.

FIN7's exceptional social engineering skills and methods to evade detection have contributed to its growth as a sophisticated cybercrime enterprise, said Kimberly Goody, manager of financial crime analysis at FireEye.

"Financially-motivated threat actors are becoming extremely advanced and are capable of inflicting significant harm on organizations through vast, carefully orchestrated campaigns," she said. "FIN7 is a prime example of this."

FireEye does not expect the arrests of Fedorov, Hladyr, and Kolpakov to necessarily lead to a cessation of FIN7's activities. What's more likely is that some of the remaining members will continue with the criminal operation using modified tactics, techniques, and procedures. It is also plausible that the group will split up into multiple smaller operations and carry out separate operations, FireEye said.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8360
PUBLISHED: 2019-02-16
Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find/assets/external/data_2.php cate parameter.
CVE-2019-8361
PUBLISHED: 2019-02-16
PHP Scripts Mall Responsive Video News Script has XSS via the Search Bar. This might, for example, be leveraged for HTML injection or URL redirection.
CVE-2019-8362
PUBLISHED: 2019-02-16
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, o...
CVE-2019-8363
PUBLISHED: 2019-02-16
Verydows 2.0 has XSS via the index.php?c=main a parameter, as demonstrated by an a=index[XSS] value.
CVE-2019-8358
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.