FIN7 is morphing into a broader, more dangerous cybercrime group
New research reveals that the notorious cybercrime group FIN7 is behind numerous clusters of previously unassigned threat activities spanning multiple years, targeting organizations across multiple regions and industries.
Mandiant’s research shows that the threat actor has shifted from a primary focus on retail and hospitality to a focus on organizations across a significantly broader range of industries that use a wider variety of weapons than before.
In the process, FIN7’s motivations have also evolved, from primarily stealing payment card data to using ransomware, ransomware-enabled operations, and dual ransomware attacks. FIN7 has also introduced new attack tools and started using supply chain attacks and using stolen credentials – in addition to its original phishing techniques – to gain initial access to target networks.
In a report this week, researchers at Mandiant said they were able to Reliably connect FIN7 to eight separate clusters of threat activities dating back to at least 2020 and aimed at organizations in software, consulting, cloud services, financial services, utilities, food and beverage, and other sectors. The researchers said they have found a dozen intrusions at their customer sites since 2020 that can be traced back to FIN7. Mandiant researchers came to these conclusions after analyzing data related to attackers’ infrastructure, attack vectors, malware code, and modus operandi associated with different clusters of threat activity.
This analysis led Mandiant to reliably map up to 17 previously unmapped threat activity clusters to FIN17. Zander Work, technical analyst at Mandiant, says currently available evidence suggests the threat actor is linked to nearly two dozen other threat clusters, although he has not been able to reliably confirm those links.
“We currently suspect another 22 threat clusters with different levels of trust than FIN7,” says Work. “These [threat clusters] are not necessarily indicative of independent threat actors, but rather represent activities that may be related based on overlapping TTPs.”
FIN7 (aka Carbanak Group and Cobalt Group) is a threat actor that, like many others, has stubbornly persisted despite multiple efforts to stop it. Just last week, the FBI warned about the group sending armed USB sticks to organizations in the defense, insurance and transportation industries with the aim of introducing ransomware onto their networks.
Previous vendor studies have estimated that the group stole well over $1.2 billion, most of it — at least initially — from the sale of data related to millions of stolen credit and debit cards. Among the group’s hundreds of victims are well-known companies such as Saks Fifth Avenue, Chipotle Mexican Grill, Arby’s and Hudson’s Bay Brands. The group has also been linked to attacks on thousands of point-of-sale terminals at thousands of business locations.
In 2018, the FBI arrested three key members of FIN7, one of whom was later sentenced to 10 years in prison. The arrests did nothing to prevent the group from operating as usual, growing larger and expanding into other areas of criminal activity. Mandiant estimates the group has dozens of members and has ramped up its activities to pre-arrests volumes in 2018.
“In the past, FIN7 has monetized its intrusions by stealing payment cards, and Mandiant has observed that they have primarily targeted US retail and hospitality companies,” says Work.
In most cases, the group’s victims – and attacks – were targeted. However, as of 2020, Mandiant observed that the FIN7 campaigns became so broad in scope that some of their targets were seemingly chosen without much care. “It’s reasonable to assume that any organization large enough to pay a ransom and that FIN7 suspects don’t attract unwanted geopolitical attention is a possible target,” Work says.
Evolving toolkit and tactics
As the group has evolved, so has its attack toolkit and initial access techniques. For example, FIN7 used to rely heavily on phishing campaigns to deliver malware downloaders called Griffon or Carbanak and Loadout to targeted networks. More recently, the threat actor used stolen credentials and attacks via third-party websites to gain initial access. For example, in a recent attack, FIN7 first compromised a digital products company’s website and modified several download links on the website to point to an Amazon S3 bucket containing a backdoored version of a legitimate remote management tool .
Instead of using Loadout and Griffon, FIN7 is increasingly attempting to deploy its malware directly into a victim’s network. Two tools the group has been using in particular recently are Powerplant, a modular, multifunctional backdoor, and Beacon, a tool that uses FIN7 alongside Powerplant as a secondary mode of access to compromised networks.
Jeremy Kennelly, Mandiant’s senior manager of financial crime analysis, says that FIN7’s shift away from payment card data theft to ransomware operations has made it much harder to assess the damage it’s now causing. “The damage from ransomware intrusions goes far beyond the ransom paid; Recovery efforts can cost significantly more and result in business or brand damage that is not easily calculable,” he says.
Regardless of specific numbers, the group’s evolving targets have almost certainly inflicted significant financial losses on its victims and the victims of other criminals whose operations they enabled, Kennelly says.
Bryce Abdo, senior analyst at Mandiant, says FIN7’s advantage over other groups lies in its tooling, craft, and evasive maneuvers. Backdoors the group uses — like Powerplant and another tool called Diceloader — are complex and sophisticated, he says. The group has also demonstrated its ability to limit the information security researchers can gather about its operations through measures such as infrastructure hardening and complex obfuscation techniques.
“FIN7’s way forward is likely a combination of relationships with ransomware operators and affiliates combined with extortion using stolen data as leverage,” says Abdo. “This assessment is based on FIN7’s previous relationships with [ransomware groups] Maze, DarkSide, and ALPHV, where the dual threat of pre-ransomware data theft is common.”