WIRED has a nice expose’ on Fin7, a highly sophisticated actor responsible for major breaches of The Hudson’s Bay Company, Omni Hotels & Resorts, Trump Hotels, Jason’s Deli, Whole Foods, and Chipotle:
While lots of criminal hacking gangs are simply out to make money, researchers regard Fin7 as a particularly professional and disciplined organization. The group—which often appears to be Russian-speaking, but hasn’t been tied to a home country—generally works on a normal business schedule, with nights and weekends off. It has developed its own malware tools and attack styles, and seems to have a well-funded research and testing division that helps it evade detection by antivirus scanners and authorities more broadly. In the Saks breach, Fin7 used “point of sale” malware—software secretly installed in the cash register transaction systems customers interact with—to lift the financial data, a signature move.
“They’re connected to almost every major point of sale breach,” says Dmitry Chorine, cofounder and CTO of Gemini Advisory, a threat intelligence firm that works with financial institutions and that first reported the Saks/Lord & Taylor breach. “From what we’ve learned over the years the group is operated as a business entity. They definitely have a mastermind, they have managers, they have money launderers, they have software developers, and they have software testers. And let’s not forget they have the financial means to stay hidden. They make at least $50 million every month. Given that they’ve been in business for many years, they probably have at least a billion dollars on hand.”
While the natural inclination would be to tie a criminal operation like this to Russia, especially with hints of the group purportedly Russian speakers, that may simply be an extension of their sophistication. The actors may be so advanced they are capable of accurately copying Russian hacking groups, to take the heat of their own true identities. This will certainly buy them some time, but at some point they will likely make a small mistake leading to exposing exactly who the real criminals are hiding behind the screens.
So far Fin7 has largely succeeded at staying just out of reach, but it works at such a massive scale on so many heists at once that there are bound to be missteps. Just last week, Spanish police working with Europol, the FBI, and a group of other international agencies arrested what they called the “mastermind” behind Carbanak’s financial institution hacking, particularly a spree of ATM jackpotting and other money laundering. “The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity,” Steven Wilson, the head of Europol’s European Cybercrime Centre, said of the operation last week.
Though an impressive step, researchers are skeptical that the arrest will really destabilize or neuter such a robust criminal syndicate. “Someone who was using part of the tools was arrested in Spain. He may be at a higher level of the food chain, but it definitely doesn’t necessarily mean the whole group has been dismantled,” says Gemini Advisory’s Chorine. “Even if you observe the chatter on criminal forums, there’s no clear indication of who was arrested.”
So as has been the case for years now, Fin7 will likely live to steal another credit card number. Or, more likely, millions of them.
Fin7 does appear to be a massive operation, with this one takedown likely not affecting their entire strategy. They will likely rebuild this capability rather quickly, and be right back to their criminal ways.
Organizations likely going to be targeted by this group should not only invest in traditional cyber defense technologies, but need to consider threat intelligence as well. The days of merely installing a firewall, intrusion prevention system, web gateway, file sandboxing, and endpoint security are over. Technological solutions require a strategic layer, constant vigilance, and a more thorough understanding of the threat actors and their capabilities. This is why threat intelligence is far more important today than it ever has been.