New research shows the notorious cybercrime group FIN7 to be behind numerous clusters of previously unattributed threat activity spanning several years and targeting organizations in multiple regions and industries.
The study by Mandiant shows that the threat actor has shifted from mostly targeting the retail and hospitality sectors to aiming at organizations across a considerably broader range of industries using a wider range of weapons than before.
In the process, FIN7’s motivations have evolved as well, from mainly stealing payment card data to now deploying ransomware, ransomware-enabling operations, and double extortion attacks. FIN7 also has introduced new attack tools and has begun using supply chain attacks and the use of stolen credentials — in addition to its original phishing techniques — to gain initial access on target networks.
In a report this week, researchers from Mandiant said they had been able to reliably connect FIN7 to eight separate clusters of threat activity going back to at least 2020 that targeted organizations in software, consulting, cloud services, financial services, utilities, food and beverages, and other sectors. The researchers said it found a dozen intrusions at its customer locations since 2020 that are attributable to FIN7. Mandiant researchers made these conclusions after analyzing data related to attacker infrastructure, intrusion methods, malware code, and the modus operandi associated with the different clusters of threat activity.
That analysis led Mandiant to reliably attribute as many as 17 previously unattributed threat activity clusters to FIN17. Zander Work, technical analyst at Mandiant, says currently available evidence points to the threat actor being tied to nearly two-dozen other threat clusters, though it has not been able to reliably confirm these links.
“We currently suspect another 22 threat clusters of being FIN7 with varying levels of confidence,” Work says. “These [threat clusters] are not necessarily indicative of independent threat actors, and rather represent activity that may be related based on overlapping TTPs.”
Stubbornly Persistent
FIN7 (aka Carbanak Group and Cobalt Group) is a threat actor that, like many others, has stubbornly continued to operate despite multiple efforts to stop it. Only last week, the FBI warned of the group sending weaponized USB thumb drives to organizations in the defense, insurance, and transportation industries with the goal of introducing ransomware on their networks.
Previous vendor studies have estimated the group has stolen well more than $1.2 billion, most of it — initially, at least — from the sales of data related to millions of stolen credit card and debit cards. Among the group’s hundreds of victims are well-known companies, such as Saks Fifth Avenue, Chipotle Mexican Grill, Arby’s, and Hudson’s Bay Brands. The group has also been linked to attacks on thousands of point-of-sale terminals across thousands of business locations.
In 2018, the FBI arrested
three key members FIN7, one of whom was later sentenced
to 10 years in prison. The arrests have done nothing to stop the group from operating as usual, growing bigger and expanding into other areas of criminal operations. Mandiant estimates that the group has dozens of members and has ramped up activity to the volume it was before the 2018 arrests.
“Historically, FIN7 monetized their intrusions via payment card theft, and Mandiant observed them primarily targeting US retail and hospitality companies,” Work says.
In most instances, the group’s victims — and attacks — were specifically targeted. However, starting in 2020, Mandiant observed FIN7 campaigns becoming broad to the point where some of their targets appear to have been chosen without much care. “It is reasonable to assume that any organization deemed large enough to pay a ransom and that FIN7 suspects would not cause unwanted geopolitical attention is a possible target,” Work says.
Evolving Toolkit and Tactics
As the group has evolved, so has its attack toolkit and initial access techniques. Previously, for instance, FIN7 relied heavily on phishing campaigns to deliver malware downloaders called Griffon or Carbanak and Loadout on target networks. More recently, the threat actor has been using stolen credentials and attacks via third-party sites to get initial access. In one recent attack, for example, FIN7 first compromised the website of a digital products company and modified multiple download links on the site to point to an Amazon S3 bucket containing a backdoor version of a legitimate remote management tool.
Instead of using Loadout and Griffon, FIN7 has increasingly begun trying to deploy its malware directly on a victim’s network. Two tools that the group has been using recently in particular are Powerplant, a modular, multifunctional backdoor, and Beacon, a tool that FIN7 has been using as a secondary mode of access on compromised networks, alongside Powerplant.
Jeremy Kennelly, senior manager of financial crime analysis at Mandiant, says FIN7’s move away from payment card data theft to ransomware operations has made it much harder to assess the damage it is causing now. “The damage from ransomware intrusions goes far beyond ransoms paid; recovery efforts may cost significantly more, and lead to business or brand damages that are not easily calculable,” he says.
Regardless of specific numbers, the group’s evolving objectives have almost certainly caused significant financial losses to their victims and the victims of other criminals whose operations they have enabled, Kennelly says.
Bryce Abdo, senior analyst at Mandiant, says FIN7’s edge over other groups is its tooling, tradecraft, and evasiveness. Backdoors that the group uses — such as Powerplant and another tool called Diceloader — are complex and sophisticated, he says. The group has also shown an ability to limit the intelligence that security researchers can gather about their operations through measures like infrastructure hardening and complex obfuscation techniques.
“FIN7’s path forward is likely a combination of relationships with ransomware operators and affiliates, in conjunction with extortion using stolen data as leverage,” Abdo says. “This assessment is based on FIN7 relationships in the past with [ransomware groups] Maze, DarkSide, and ALPHV, where the dual threat of data theft preceding ransomware deployment is common.”
