August 3, 2022
CTIG Threat Actor Group Study: Fin7
August 3, 2022
Fin7 is a notorious international cybercrime group, widely considered to be one of the premier theft rings over the past several years. A prolific, skilled, and creative organization, by 2015 they had appropriated over 20 million credit card numbers, totaling over $1bn in damages. This group has stolen everything from cash to intellectual property and is believed to have written the code responsible for the initial access in the Colonial Pipeline attack.
New concerns were raised by a recent Mandiant report, and subsequent tracking by Recorded Future, that this actor seems to have expanded their enterprise to include carrying out ransom attacks beyond gaining their own initial access. In addition to the threat of extracting currency and data, Fin7 now seems intent on becoming the digital manifestation of farm-to-table larceny.
Fin7 appears to be based in Eastern Europe; three Ukrainian nationals were indicted by the U.S. Department of Justice in 2018 and several of their recruiting campaigns were focused on acquiring talent in former Soviet satellite states. While it may seem out of place that a high-profile actor would openly recruit, the group does this by creative means.
Subterfuge is an essential custom for any attacker and Fin7 has embraced it on many levels. To both recruit, and camouflage some of their approach vectors, the group has been known to invent fraudulent cybersecurity companies. The first known case of this was “CombiSecurity”, and more recently “Bastion Secure”, which was used to recruit legitimate IT specialists in several disciplines as an elaborate smoke screen for finding sysadmins in particular. They advertised throughout the countries formerly aligned with the Soviet Bloc, offering and delivering competitive pay scales for the region.
Once the applicants began the screening process, they were instructed to complete several assessment “tests,” ostensibly to vet their skills for employment. Recruits were given precise instructions to set up lab environments and employ specific tools. Much like the Battle School in the movie “Ender’s Game,” the tryouts were in fact real. The output of the tools would provide the mapping of potential victim environments and backups, allowing Fin7 to outsource their reconnaissance. They both controlled the process and were insulated from it at the same time.
Fin7 is not above using old-school methods to gain entry as well. In a nod to tradition, they used their front companies to send trojanized USB sticks through the mail, targeting specific individuals and organizations in the United States. According to an FBI report from January 2022, they used Best Buy and Amazon packaging and shipped “gift” boxes through both UPS and the USPS to unsuspecting victims. This campaign began in early 2020 and lasted through the fall of 2021, first targeting logistics firms and then moving on to the Defense sector.
Their spear phishing campaigns are also performed at a very high skill level. According to a report from Kaspersky labs, Fin7 demonstrated patience and finesse in exchanging benign messages with their victims for weeks at a time, using empathy-based dialogue to establish familiarity before finally sending the malicious file.
On the bright side, greed can drive anyone to make mistakes. The information regarding the TTPs of the recruitment process has come to us via Gemini Advisory’s reporting, where a source had been approached for recruitment and supplied details of the process through all stages, including analysis of the toolset.
While their evolution does not present a new element to the ransomware game, it is worthy to note that yet another highly skilled attacker has decided to devote more energy to ransom operations. This suggests they plan a greater return on the investment of their time and talents. Considering the background and creativity of these actors, it should be expected that they will, unfortunately, appear in the news again soon.
As one can see, Fin7 is an accomplished group. This is especially true in two critical areas: spear phishing and the use of PowerShell to conduct low-profile, “living off the land” techniques post-exploitation. To quote the Mandiant report: “PowerShell is FIN7’s love language.”
Cybrary has an excellent module explicitly designed with this in mind, in our Threat Actor Campaign series. Our Ransomware for Financial Gain course will take you through a solid foundation through realistic scenarios and a lab environment, to give you every advantage needed to prepare.
- “Carbon Spider”
- “Cobalt Gang”
- “Carbanak” and the malware of the same name
- Darkside (RaaS)