The Ukrainian national, Fedir Hladyr, was one of only three suspects arrested in 2018 that helped orchestrate thousands of network breaches against over 100 US companies, alongside the theft and sale of millions of customer card details and data records.
Although the sentence was a high note for US law enforcement in the war against organized cybercrime, Hladyr represents only the tip of the iceberg. He was, after all, working on behalf of a much larger entity – the notorious, global operation known as ‘FIN7’.
Who are FIN7?
The Russia-based group, which is now considered one of the greatest threats to banks in the world, targets institutions in the financial, gambling, retail and hospitality sectors – or at least, wherever an abundance of card details can be found. The majority of its victims are located in the US, but the group has launched attacks in Australia, France and the UK too.
FIN7 first caught the public eye in January 2015, after it was discovered using malware to target banks and ATM machines. Now, the group is said to have raked in over a billion dollars, leaving a long and costly trail of damages in its wake. Just in the US, for instance, FIN7 has breached thousands of business locations and point of sale (POS) systems across all 50 states, reaping tens of millions of card details in the process.
Made up of an international workforce, FIN7 is hard to pin down, and highly professional – the group is thought to have over 70 employees, separated into different hacking, business, developer and content roles. Even though several senior figures from the group have received warrants, arrests and sentences in recent years (such as Hladyr), the group is showing no signs of slowing down. Instead, FIN7 seems to be fragmenting into smaller outfits and continuing to target businesses in the financial sector.
Methods of Attack
FIN7 specializes in spear-phishing operations, deploying custom-built trojan malware to gain initial access to a system. Typically, the group sends carefully crafted phishing emails to an organization’s employees (which it sometimes re-enforces with phone calls and additional emails), and gains remote control over infected machines once malicious attachments are downloaded. These exploit vulnerabilities in Microsoft Office or embedded executable files, allowing FIN7 to compromise financial networks and intercept bank transfers, plunder card details (which are sold on underground marketplaces) and trigger ATM machine cash withdrawals.
FIN7’s toolset is varied, and has been consistently updated over the years. Most of the time, however, the group uses the ‘Carbanak’ command and control backdoor tool, designed to breach banking apps and websites and use spyware such as keyloggers or screenshots to steal information. The name Carbanak often confuses FIN7 with another threat group that goes by this name (and who created the malware), but the two are thought to be separate entities.
FIN7 also uses the POS malware Pillowmint and Tirion (which is thought to be succeeding Carbanak), though, more recently, has equipped the commercial pen-testing kit ‘Cobalt Strike’ to modify and improve its code. With this tool, FIN7 can employ attack techniques such as enumeration, lateral movement and privilege escalation to avoid detection while penetrating internal networks.
FIN7 has even been known to deploy more unorthodox BADUSB attacks, albeit rarely, to access target networks. In 2020, for example, the group sent out malicious drives to organizations containing malware that could type itself out onto Windows devices, right under the nose of unsuspecting employees.
Although law enforcement agencies are constantly monitoring threat groups such as FIN7, there are many ways in which you fight back too. That’s where our brand new threat hunting series comes in.
Introducing our new FIN7 threat hunting series
As FIN7 still poses a significant threat to organizations and individuals around the world, we’ve created this series to provide you with the defensive tools and techniques necessary to combat its malicious activities.
In these purpose-built labs, you’ll follow the scenario of a malware document sent as part of a targeted FIN7 phishing campaign. This document is executed by the group, which uses command and control to establish persistence and expand access, before moving laterally into the IT administrative network and extracting card details.
Throughout the series, you’ll explore the methods, tactics, and techniques used by FIN7. By following each step of the attack scenario, from initial access to execution, you’ll gain a complete overview of a FIN7 compromise, alongside the skills needed to respond, so you can safeguard yourself and your organization against this threat group in the future.