FIN7, also known as the “CARBANAK Group”, “Carbon Spider”, “Anunak”, and the “Navigator Group”, is a financially motivated Eastern European cyber threat collective that has been active since at least 2015 (some estimates date their origin to 2011 or 2012). The organization is composed of a very sophisticated network of developers and hackers and has suspected links to Russian organized criminal elements as well as loose ties to the Russian GRU.
According to public court documents, the group has over 70 active members.1 Mandiant has recently estimated that up to 17 unknown hacking groups may be operating under the FIN7 umbrella organization to varying degrees. The group appears to divide operations between subordinate groups making FIN7 harder to track due to its numerous members and differing methods of hacking.
Since 2015, FIN7 has netted roughly $1B, with cybersecurity company Morphisec claiming that FIN7 has brought in an estimated $50 million a month in 2018 alone.2
In the past, FIN7 has primarily targeted the hotel and restaurant sectors but has recently begun to target a wide variety of industries - including retail, hospitality, gaming, travel, telecommunications, construction, education, government agencies, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utility sectors.3
FIN7 has mainly been focused on the theft of credit card information from businesses worldwide but has evolved to include more targeted ransomware and extortion attacks. Since 2020, FIN7 has also begun to sell initial access to networks to other prominent ransomware groups like Ryuk.
This threat group used to predominantly use CARBANAK malware, however, some of the other malware and tools found to be used by FIN7 include a PowerShell backdoor, Cobalt Strike Beacon, and HALFBAKED. The group has also been linked to REvil, Lizar, Darkside, Blackmatter, and ALPHV ransomware. In 2020, FIN7 was also reportedly behind a targeted BadUSB attack against a US-based hospitality company.4
In August 2018, the US Department of Justice indicted three Ukrainian nationals and FIN7 operatives, Fedir Hladyr, Dmytro Federov, and Andrii Kolpakov, for cybercrimes that impacted more than 100 U.S. companies. A fourth, Denys Iarmak who was acting as a pen tester for the group, was indicted in December 2019 and later sentenced to five years in prison. Kolpakov received seven years in prison and Hladyr, acting as a systems administrator for FIN7, was sentenced to 10 years in prison in 2021.5 Despite these high profile convictions, FIN7 has continued to carry out attacks.
Notable TTPs and Attacks
Payment Card Theft
FIN7 has been known to target interbank transfer systems such as SWIFT and SAP, ATM infrastructure, and point-of-sale terminals. According to the DOJ, from 2015 to 2018, FIN7 successfully stole more than 20 million customer card records from over 6,500 point-of-sale devices at more than 3,600 business locations.6 Once the group stole card information, they would sell that information on underground marketplaces like the now-defunct “Joker’s Stash”.
A few notable examples of FIN7 payment card theft targets include Chipotle, Sonic Drive-In, Jason’s Deli, Arby’s, Red Robin, Chili’s, Burgerville, Saks Fifth Avenue, and Omni Hotels.
Securities and Exchange Commission (SEC)
In 2017, FireEye identified a spear-phishing campaign targeting the US SEC. FireEye found that FIN7 spoofed an email address from the SEC and sent a message to an in-house corporate counsel at a publicly-traded company who was responsible for the firm’s securities filings.7
Once inside, the group utilized the PowerShell backdoor, “POWERSOURCE”, followed by a second-stage backdoor, “TEXTMATE”, as well as a Cobalt Strike Beacon to further exploit the victim machine. This attack was ultimately thwarted, but if FIN7 was successful, they would have potentially been able to commit securities fraud or investment fraud on a massive scale.
In the past, FIN7 has hidden its hacking operations behind a number of cybersecurity front companies (“Combi Security”, “Bastion Secure”, “Check Point Software Technologies”, and “Forcepoint”). Using these fake companies, FIN7 recruited and tricked well-intentioned penetration testers to conduct malicious attacks on victims. The company recruited on Russian, Ukrainian, and Uzbek job placement boards.
The group’s tactics include:
Social engineering and the creation of fake cybersecurity organizations and brands to evoke legitimacy.
Highly creative spear-phishing emails with malware attachments.
“Amygdala hijacking” - where the attacker attempts to elicit an emotional response in the target using fear tactics.
Fileless malware campaigns.
Selling initial access to other ransomware groups.
Previously, FIN7 was mainly focused on the theft of credit card information, however, has recently moved on to targeted ransomware and extortion campaigns.
FIN7 is highly stealthy and has shown the ability to evade security systems. In the Burgerville instance, FIN7 malware sat on the company’s network collecting payment data for nearly a year before it was discovered during an investigation by the FBI.