According to three federal indictments, Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, are allegedly members of a prolific, professional, highly adaptable hacking group widely known as Fin7, though it’s also referred to as the Carbanak Group and the Navigator Group, among many other names.
The DOJ says that since 2015, Fin7 has engaged in “a highly sophisticated malware campaign” targeting more than 100 US companies, predominantly in the restaurant, gaming, and hospitality industries, hacking into thousands of computer systems and stealing millions of customer credit and debit card numbers in order to sell them.
Security groups have been tracking the actors for longer than that, however: the thinking is that Fin7 evolved from malware campaigns between 2013 and 2015 that used the banking Trojans Carberp and Anunak to attack financial institutions.
Fin7 doesn’t just work in the US, but the DOJ says that just its US sprees alone have included raids on the networks of companies in 47 states and the District of Columbia, with the theft of more than 15 million credit card records from 6,500 Point-of-Sale (PoS) terminals at more than 3,600 separate business locations.
The organization has also ransacked computer networks in the UK, Australia and France. Publicly disclosed hacks attributable to Fin7 include Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.
Each of the three Fin7 suspects is charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft. Two of the suspects – Fedir Hladyr and Dmytro Fedorov – were arrested by foreign police in January 2018 at the request of the US.
Hladyr allegedly served as Fin7’s sysadmin: his alleged duties were maintaining servers and the organization’s communication channels, and he was also a manager who delegated tasks to, and trained, his hacker underlings. Hladyr was arrested in Dresden, Germany, and is now in prison in Seattle, awaiting his 22 October trial.
The DOJ described Fedorov as a top hacker who also allegedly supervised other hackers. He was arrested in Bielsko-Biala, Poland. Fedorov’s in custody in Poland pending extradition to the US.
The third alleged Fin7 member is Andrii Kolpakov, who Spanish police arrested in Lepe in June. Kolpakov was allegedly a supervisor of a group of hackers and is still in Spain, also pending the US’s request for his extradition.
Arresting three alleged high-ranking members of this crime syndicate is good news. It is, in fact, the first win against this powerful syndicate. But will it actually slow them down?
After all, a few months after two of the arrests of these allegedly top-level actors, Fin7 ripped off retailers Saks and Lord & Taylor, stealing 5 million credit cards over Easter weekend in April.
After that Point-of-Sale-a-palooza, Wired painted a detailed portrait of the organization, which goes by a very, very long list of aliases besides “Fin7” (which is associated with retail and hospitality credit card number heists). What might be another group, another division within F7, or a pre-existing gang that Fin7 spun off from, focuses on targeting financial organizations to directly steal and launder money and has been called Carbanak or Cobalt, which are also the names of the malware it uses.
Just that operation alone has stolen a total amount that must be significantly above €1 billion, a spokesman for the European Banking Federation (EBF) has said. The security firm Crowdstrike, meanwhile, calls the two specialized outfits Carbon Spider (which goes after financial institutions and ATMs) and Cobalt Spider (which targets the retail and hospitality industries). Then again, threat intelligence firm Gemini Advisory also sometimes calls Fin7 “Joker Stash,” after the dark web marketplace where the group sells its stolen credit card data.
Dmitry Chorine, cofounder and CTO of Gemini Advisory, which works with financial institutions and which first reported the Saks/Lord & Taylor breach, told Wired that years of tracking has shown that Fin7 operates as a legitimate business entity that must be worth “at least” $1 billion.
They definitely have a mastermind, they have managers, they have money launderers, they have software developers, and they have software testers. And let’s not forget they have the financial means to stay hidden. They make at least $50 million every month. Given that they’ve been in business for many years, they probably have at least a billion dollars on hand.
Still, while the arrests announced on Wednesday might not be a stake through Fin7’s heart, the DOJ thinks they have shone some daylight on the shadowy group and, to some extent, clipped its wings. US attorney Annette Hayes, at a press conference announcing the indictments:
This investigation continues. We are under no illusion that we have taken this group down altogether. But we have made a significant impact. These hackers think they can hide behind keyboards in faraway places, and that they can escape the long arm of United States law. I’m here to tell you, and I think this announcement makes clear, that they cannot do that.
The DOJ provided this fact sheet (PDF) on how Fin7 attacked and stole data. As the indictments describe, Fin7’s modus operandi is typified by a phishing email sent on or around 27 March last year to a Red Robin Gourmet Burgers and Brews employee from firstname.lastname@example.org.
The sender complained about a recent experience and urged the recipient to open the attachment for further details. Alternatively, if Fin7 was targeting a hotel chain, the sender of the phishing email might claim to be interested in making a reservation with details enclosed in the attachment. These attachments looked like innocuous files – Microsoft Word docs, for example – but were rigged with malware. Sometimes, Fin7 would accompany the spearphishing messages with a telephone call, to legitimize the messages and talk employees into opening them.
The spear-phished Red Robin employee opened the attachment. Within days, Fin7 had mapped the restaurant chain’s internal network. Within a week, it had obtained a username and password for the restaurant’s PoS software management tool.
Once infected, a victim computer would connect to one of Fin7’s command and control servers, located throughout the world. Through a specially designed control panel, Fin7 could slather on yet more malware, remotely send commands and receive data, and move laterally through the company’s network.
Inside of two weeks, the DOJ says, a Fin7 member allegedly uploaded a file containing hundreds of usernames and passwords for 798 Red Robin locations, along with “network information, telephone communications, and locations of alarm panels within restaurants.”
Besides Red Robin, the indictment alleges nine other similar incidents, each of which followed more or less the same pattern. It started with an email that doesn’t necessarily have an attachment. It might be a reservation inquiry sent to a hotel, for example, or an order to a catering company. Further communications would push employees to opening up the attachment, the indictment said:
When targeting a hotel chain or restaurant chain, a conspirator would make a follow-up call falsely claiming that the details of a reservation request, catering order, or customer complaint could be found in the file attached to the previously delivered email.
To add insult to injury, and to further exemplify how slick it is at selling its crappy, phishy, malwarey goods, Fin7 also masqueraded as a security company called Combi Security, the DOJ says.
Combi was sheep’s clothing for Fin7’s wolf work: the legitimate sounding name enabled Fin7 to recruit hackers and possibly even clients gullible enough to buy its purported security services, which included penetration testing.
As of Wednesday, they have a few more vacancies to fill.