US feds arrest three Ukrainian nationals from the notorious FIN7 hacker group

• FIN7 has been one of the most prolific APT groups in recent years, launching sophisticated and targeted attacks against more than 100 US companies.
• Dmytro Federov, Fedir Hladyr, and Andrii Kolpakov were accused of hacking into thousands of computers systems and stealing millions of payment card details.

US federal prosecutors announced the arrest of three Ukrainian nationals believed to be three high-ranking members of the notorious FIN7 hacking group also known as the Carbanak Group and the Navigator Group. According to indictments unsealed in federal court in Seattle Wednesday, prosecutors accused Dmytro Federov, Fedir Hladyr, and Andrii Kolpakov of hacking into thousands of computers systems and stealing millions of credit and debit card numbers that the group used or sold for profit on the dark web.

FIN7 has been one of the most prolific APTs in recent years, leveraging sophisticated and targeted attacks against over 100 US companies and breaking into computers at more than 3,600 business organizations across the US.

Modus Operandi

The group is known for utilizing novel social engineering techniques and lures to launch the infamous Carbanak backdoor, in addition to other custom tools - gain foothold in a victim network and install payment card harvesting tools in attacks that date back to 2013.

Following the crafted phishing emails to business representatives, the hackers also followed up with phone calls to the companies and encouraged them to open the messages - thus allowing for the malware to be executed and infect the targeted network.

The Ukrainian suspects have been accused of using spear phishing emails and malware to steal information on more than 15 million payment cards from thousands of business locations across the country.

FIN7 has been active since at least 2013. Although the group is known for targeting retailers, restaurants, the hospitality and gaming industry, FIN7 has also attacked casinos, banking infrastructure and ATMs. Some of their victims include Chipotle, Arby's, Red Robin, Sonic and Jason's Deli among others. Check Point has also been linked to breaches of Trump Hotels, Saks Fifth Avenue, Whole Foods and Lord & Taylor.

“Throughout 2017, FIN7 was observed creating novel obfuscation methods, and in some cases modifying the methods on a daily basis while launching attacks targeting multiple victims,” FireEye wrote in a technical analysis of the group posted Wednesday. “The threat group regularly tested malicious .Doc, .DocX, and RTF phishing documents against public repositories to check static detection engine coverage.”

Fake cybersecurity company

According to the indictment, FIN7 also "used a front company, Combi Security, purportedly headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise. Combi Security’s website indicated that it provided a number of security services such as penetration testing. Ironically, the sham company’s website listed multiple U.S. victims among its purported clients.”

One of the suspects, Fedorov, has been detailed in Poland and is awaiting extradition to the US. The suspect was allegedly ahigh-level hacker and manager who supervised other hackers who were tasked with infiltrating victims' computer systems.

Hladyr was arrested in Dresden, Germany and was extradited to the US. He is currently detained in Seattle pending trial. Hladyr allegedly served as the group's systems administrator who maintained the organization's servers and communication channels, delegated tasks and provided instructions to other team members.

Kopakov was arrested in Lepe, Spain where he is currently detained pending the US government's request for extradition. He was also an alleged supervisor of a group of hackers. Europol announced his arrest back in March.

Each of the FIN7 conspirators have been charged with 26 felony counts including conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

“The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise,” Special Agent in Charge Jayy Tabb of the FBI Seattle Field Office said in a statement. “As the lead federal agency for cyber-attack investigations, the FBI will continue to work with its law enforcement partners worldwide to pursue the members of this devious group, and hold them accountable for stealing from American businesses and individuals.”

Possible split

It is not immediately clear how many compromise FIN7. However, the indictment claims "dozens of members with diverse skillsets" form the sophisticated group whose hacking skills, organizational structure and a constantly growing arsenal of cyberweappons.

According to FireEye, the group may have split with a portion of the group's malicious actors likely continuing their cybercriminal activities despite the arrests by law enforcement.

"Although we expect activity to continue, it is extremely common for threat actors to either modify their TTPs or temporarily halt operations following significant developments such as arrests of high-level members and/or public disclosure of TTPs that they employ," FireEye researchers wrote.

"Depending on the organizational and communication structure of the group, it is also plausible that multiple subgroups could form and carry out independent operations in the future. Recent campaigns, as well as those using tactics that were atypical for historical FIN7 campaigns, such as the SEC campaigns with widespread targeting, may be representative of semi-autonomous groups pre-existing within, or cooperating with, the FIN7 criminal organization."

US attorney Annette Hayes said federal authorities are "under no illusion that we have taken this group down altogether."

“This investigation continues,” Hayes said at a press conference announcing the indictments. “These hackers think they can hide behind keyboards in faraway places, and that they can escape the long arm of United States law. I’m here to tell you, and I think this announcement makes clear, that they cannot do that.”