On August 1, the U.S. Department of Justice announced the arrests of three individuals described as “high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe,” FIN7. In three separate indictments returned in the Western District of Washington and unsealed August 1, Ukrainian nationals Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov, each were charged with 26 federal felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.
According to the Department, since at least 2015, members of FIN7 (also known as the Carbanak Group and the Navigator Group) “engaged in a highly sophisticated malware campaign targeting more than 100 U.S. companies, predominantly in the restaurant, gaming, and hospitality industries.” FIN7’s method, as shown in a Justice Department chart, was to launch numerous waves of cyberattacks on numerous businesses operating in the United States and abroad. The cyberattacks were initiated with “spear phishing” email messages that would appear legitimate to businesses’ employees, accompanied by telephone calls that were intended to provide additional legitimacy to the emails. Once a recipient opened the emails and activated a file, FIN7 used an adapted version of Carbanak (a remote backdoor designed, in part, to provide remote access to infected machines), as well as other tools, to access and steal payment card data pertaining to the business’ customers.
Overall, FIN7 allegedly
hacked into thousands of computer systems and stole millions of customer credit and debit card numbers, which the group used or sold for profit.
In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. Additional intrusions occurred abroad, including in the United Kingdom, Australia, and France. Companies that have publicly disclosed hacks attributable to FIN7 include such familiar chains as Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli. Additionally in Western Washington, FIN7 targeted other local businesses.
Since 2015, FIN7 also allegedly sold the data in online underground marketplaces.
Each of the defendants reportedly played separate but related roles in FIN7’s operations: Fedorov, as a high-level hacker and manager who supervised other hackers assigned to breach the security of victims’ computer systems; Hladyr, “as FIN7’s systems administrator who, among other things, maintained servers and communication channels used by the organization and held a managerial role by delegating tasks and by providing instruction to other members of the scheme”; and Kolpakov, as a supervisor of a group of hackers.
Each of the three defendants is also at a separate stage of extradition and prosecution. In January 2018, the Polish Central Bureau of Investigation’s “Shadow Hunters” team arrested Fedorov, who remains in detention in Poland pending extradition to the United States, and the German State Criminal Police Office (Bundeskriminalamt) and the Dresden Police (Polizeidirektion Dresden) arrested Hladyr, who has since been extradited to the United States and is awaiting trial on October 22 in Seattle. In late June 2018, the Spanish National Police’s (Cuerpo Nacional de Policía’s) Logical Security Group (Grupo de Securidad Logica) arrested Kolpakov, who remains detained in Spain pending his extradition to the United States.
Compliance and information security managers and counsel concerned with cybercrime and cybersecurity issues should take note of these arrests for three reasons:
(1) Significance and Sophistication of Cybercrime Group: According to Wired, “ researchers regard FIN7 as a particularly professional and disciplined organization . . . [that] has developed its own malware tools and attack styles, and seems to have a well-funded research and testing division that helps it evade detection by antivirus scanners and authorities more broadly.” One threat intelligence expert estimated that FIN7 makes at least $50 million every month and “probably ha[s] at least a billion dollars on hand.”
In addition, FIN7 has shown versatility in its “spear phishing” targeting financial services companies and other corporations. Last year, for example, a digital security company reported that FIN7 appeared to be targeting persons involved with Securities and Exchange Commission (SEC) filings – many of them listed in the SEC filings — at 11 different organizations in the financial services, transportation, retail, education, IT services, and electronics sectors.
FIN7 also has shown sophistication in its recruiting techniques. In the case of the Fedorov/Hladyk/Kolpakov indictments, the Justice Department commented that FIN7 “used a front company, Combi Security, purportedly headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise. Combi Security’s website indicated that it provided a number of security services such as penetration testing.”
(2) Importance of Threat Intelligence: For the benefit of in-house cybersecurity and cybercrime experts, the documents that the Justice Department posted in connection with the arrests include a detailed summary of FIN7’s attacks and examples of the emails used to transmit infected files.
(3) Significance of Arrests and International Cooperation: As indicated above, the three defendants, though only three of the dozens of FIN7 members, reportedly played significant roles in FIN7’s operations. These arrests, however, are not the first law enforcement actions against FIN7 this year. On March 26, 2018, Europol reported that “[t]he [unnamed] leader” of FIN7 was arrested in Alicante, Spain, after an investigation by the Spanish National Police (SNP).
Both operations also indicate the extent to which law enforcement authorities are capable of coordinated investigations involving multiple jurisdictions. In the case of the Fedorov/Hladyr/Kolpakov arrests, the Justice Department gave credit for assistance not only to the foreign police services making the arrests, but to “the National Cyber-Forensics and Training Alliance, numerous computer security firms and financial institutions, FBI offices across the nation and globe, as well as numerous international agencies.” Similarly, in the case of the March 26 arrest, Europol stated that the SNP had the support of Europol, the FBI, the Romanian, Moldovan, Belarussian and Taiwanese authorities and private cyber security companies. In particular, Europol gave credit to its European Cybercrime Centre for “facilitat[ing] the exchange of information, host[ing] operational meetings, provid[ing] digital forensic and malware analysis support and deploy[ing] experts on-the-spot in Spain during the action day.”
Although criminal trials are far from the best means of learning about the details of cybercrime operations and techniques, additional details about FIN7 may come to light this fall in the upcoming trial of Hladyr.