Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:20 PM
Connect Directly

Feds Indict Three Ukrainians For Cyberattacks on 100+ Companies

Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov are senior members of the notorious FIN7 cybercrime group, aka the Carbanak Group.

US law enforcement Wednesday announced the arrests of three leading members of a prolific cybercrime group believed responsible for stealing data on some 15 million payment cards from more than 100 companies including Saks Fifth Avenue, Chipotle Mexican Grill, Arby's, and Red Robin.

Indictments unsealed today in the US District Court in Seattle identified Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, as members of FIN7, a hugely successful financial threat actor also known as the Carbanak Group.

The group is believed responsible for breaching some 6,500 point-of-sale terminals at more than 3,600 locations belonging to companies in 47 states in the US alone. Most of its victims have been from the hospitality, restaurant, and gaming industries. FIN7/Carbanak Group also claimed dozens of victims in the United Kingdom, France, and Australia.

In a fact sheet outlining the group's tactics, US prosecutors described FIN7 as one of the most "sophisticated and aggressive" threat actors in the world with dozens of operatives, a global C2 infrastructure, and an arsenal of sophisticated malware tools and tactics. It even established a front company called Combi Security to recruit hackers under the guise of being a legitimate penetration-testing firm. Among the many purported clients that Combi listed on its website were multiple US victims, prosecutors have alleged.

Fedorov, Hladyr, and Kolpakov each faces 26 felony counts related to wire fraud, computer hacking, access device fraud, aggravated identity theft, and conspiracy for their part on the massive criminal operation.

Hladyr, FIN7's alleged systems administrator and the individual supposedly responsible for maintaining the organization's servers and communication channels, was arrested in Dresden, Germany, earlier this year at the behest of US authorities. He is currently being detained in Seattle and will go to trail October 22.

Fedorov, described by prosecutors as a high-level FIN7 hacker and supervisor of individuals tasked with breaching victim networks, was arrested in Bielsko-Biala, Poland, earlier this year and is currently being held there pending extradition to the US.

Spanish authorities in June arrested Kolpakov in Lepe, Spain, where he remains detained pending a US request for his extradition.

The arrests and subsequent indictments mark a huge victory for law enforcement in the US and elsewhere. "The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise," said Jay Tabb, special agent in charge at the FBI's Seattle field office in a statement announcing the arrests.

Security vendor FireEye, which has been tracking FIN7 since 2015, described the group's activities as being primarily focused on payment card data theft. One of its most recent victims was Hudson's Bay—the owners of brands such as Saks and Lord & Taylor. The attack netted the group 5 million credit card records, which it later sold in underground markets. But not all of FIN7's attacks are payment card-related.

Earlier this year, researchers at FireEye discovered FIN7 targeting people at multiple organizations who were responsible for filing required company financial details with the US Securities and Exchange Commission. In that specific case, the goal appears to have been to try and steal information that would have helped the group profit through insider trading, FireEye said in a blog Wednesday.

When FIN7 has not been able to accomplish its initial goal of stealing payment card data from a victim organization, the group has also been observed going after finance department personnel at the same firm, FireEye says.

Personalized Hacks

FIN7's typical modus operandi has been to send highly sophisticated phishing emails to users at target organizations to try and get them to click on Word documents and other attachments with embedded malware. "Their phishing has often exploited urgent, high value business matters tailored to their chosen targets," FireEye said.

For example, FIN7 operatives have contacted managers at individual stores about being overcharged for something and attached a malicious document to it purporting to be the "receipt." When targeting a restaurant, the phishing email might refer to a food poisoning complaint and lure recipients to click on the malicious attachment to get more details. Often, FIN7 operatives have gone to the extent of placing phone calls to targeted individuals either before or after sending them a rouge email in an effort to lend greater credibility to their phishing lure.

Once a system is infected, FIN7 uses its C2 infrastructure to download an array of additional sophisticated malware tools for exfiltrating data, conducting surveillance, enabling lateral movement and carrying out other malicious activities. Some of the tools have the ability to take screen shots and make video recordings of user activity so FIN7 can locate and extract payment data, financial information, and other data of interest to the group.

FIN7's exceptional social engineering skills and methods to evade detection have contributed to its growth as a sophisticated cybercrime enterprise, said Kimberly Goody, manager of financial crime analysis at FireEye.

"Financially-motivated threat actors are becoming extremely advanced and are capable of inflicting significant harm on organizations through vast, carefully orchestrated campaigns," she said. "FIN7 is a prime example of this."

FireEye does not expect the arrests of Fedorov, Hladyr, and Kolpakov to necessarily lead to a cessation of FIN7's activities. What's more likely is that some of the remaining members will continue with the criminal operation using modified tactics, techniques, and procedures. It is also plausible that the group will split up into multiple smaller operations and carry out separate operations, FireEye said.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.