On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation

On Aug. 1, 2018, the United
States District Attorney’s Office for the Western District of
Washington
 unsealed indictments and announced the arrests of three
individuals within the leadership ranks of a criminal organization
that aligns with activity we have tracked since 2015 as FIN7. These
malicious actors are members of one of the most prolific financial
threat groups of this decade, having carefully crafted attacks
targeted at more than 100 organizations. FIN7 is referred to by many
vendors as “Carbanak Group,” although we do not equate all usage of
the CARBANAK backdoor with FIN7. This blog explores the range of
FIN7’s criminal ventures, the technical innovation and social
engineering ingenuity that powered their success, a glimpse into their
recent campaigns, their apparent use of a security company as a front
for criminal operations, and what their success means for the threat
landscape moving forward. With this release, FireEye is also providing
technical context, historical indicators, and techniques that
organizations can use to hunt for FIN7 behavior enterprise-wide.

FIN7 Does the Crime…

The threat group is characterized by their persistent targeting and
large-scale theft of payment card data from victim systems, which it
has monetized at least a portion of through a prominent card shop. But
FIN7’s financial operations were not limited to card data theft. In
some instances, when they encountered and could not obtain payment
card data from point of sale (POS) systems secured with end-to-end
encryption (E2EE) or point-to-point encryption (P2PE), FIN7 pivoted to
target finance departments within their victim organizations.

Furthermore, in April 2017, FireEye reported that FIN7
sent spear phishing emails to personnel involved with United States
Securities and Exchange Commission (SEC) filings
 at multiple
organizations, providing further insight into FIN7’s targeting. These
targeted individuals would likely have access to material non-public
information that FIN7 actors could use to gain a competitive advantage
in stock trading.

Diversification of their monetization tactics has allowed the group
to impact a wide range of industries beyond those solely associated
with payment card industry. During campaigns that FireEye associates
with FIN7, victims within the following sectors have been targeted
within the United States and Europe: