The U.S. Department of Justice announced charges against three leading members of a cybercriminal group called FIN7 that hacked into more than 100 U.S. businesses. The three men are Ukrainian nationals and are already in custody.
FIN7, also known as Carbanak, is a group that has been operating since 2015 and compromised hundreds of companies and financial organizations worldwide. According to the DoJ, the group has dozens of members and even ran a front cybersecurity company called Combi Security to recruit hackers.
FIN7 is known for being one of the first groups that used stealthy fileless malware techniques, hid communications in DNS traffic and abused third-party dual-use tools including PowerShell, Meterpreter and Mimikatz—a technique known as living off the land.
According to the indictments unsealed Aug. 1, FIN7 hacked into thousands of computers belonging to businesses in 47 U.S. states. The group stole more than 15 million customer card records from more than 6,500 individual point-of-sale terminals at more than 3,600 separate business locations, the DoJ said.
The affected companies were predominantly active in the restaurant, gaming and hospitality industries and included Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.
Each of the three Ukrainian nationals—Dmytro Fedorov, 44, Fedir Hladyr, 33 and Andrii Kopakov, 30—have been charged with 26 counts including computer hacking, access device fraud, aggravated identity theft, wire fraud and conspiracy.
“The naming of these FIN7 leaders marks a major step towards (sic) dismantling this sophisticated criminal enterprise,” said Special Agent in Charge Jay S. Tabb Jr. of the FBI Seattle Field Office. “As the lead federal agency for cyberattack investigations, the FBI will continue to work with its law enforcement partners worldwide to pursue the members of this devious group, and hold them accountable for stealing from American businesses and individuals.”
Hladyr was arrested in Dresden, Germany, in January and is currently detained in Seattle pending a trial scheduled for Oct. 22. He is believed to have held a managerial role in the group and acted as its systems administrator, running servers and communications channels.
Fedorov is believed to have been another high-level FIN7 manager and hacker that supervised other hackers in the group. He was also arrested in January, but in Bielsko-Biala, Poland, where he remains in custody pending an extradition request by the United States.
Andrii Kolpakov, another alleged hacker supervisor in the group, was arrested in late June in Lepe, Spain. He is also detained pending a U.S. request for extradition.
The DoJ also published a fact sheet that describes how FIN7 attacked victims and stole data. The group typically sent phishing emails to the employees of targeted businesses with malware embedded into Microsoft Word documents. Sometimes the group’s members followed up the emails with telephone calls to the employees to trick them to open the malicious documents and allow the malware to execute.
Once a system was infected, the group was able to deploy additional malware and various tools on it, including an adapted version of the Carbanak malware that has been used in the past to steal money from banks and other financial institutions. This malware allowed hackers to monitor employees and their activities on computers, take screenshots, record keystrokes, steal credentials and eventually locate sensitive customer data.
Stolen payment card details were put up for sale on underground forums and were then used by other cybercriminals to make unauthorized charges on people’s accounts, most commonly for retail purchases and gift cards.
“FIN7 is one of the most sophisticated and aggressive malware schemes in recent times, consisting of dozens of talented hackers located overseas,” the DoJ said. “FIN7 uses an arsenal of constantly evolving malware tools and hacking techniques, and controls infected computers through a complex web of servers located throughout the world.”