with Bastien Inzaurralde
Officials acknowledge they’re still a long way from dismantling the criminal network entirely. But law enforcement and cybersecurity researchers are holding the case up as an example of the cooperation between government and private organizations they say is essential to thwart increasingly sophisticated cybercrime schemes.
“In the future we’re going to see more groups like this evolve. And in order to combat these operations, we’re going to have to work together to fight this threat,” said Kimberly Goody, manager of financial crime analysis at the FireEye, which has tracked FIN7 since 2015 and conducted intrusion investigations for numerous victim organizations.
Prosecutors said FIN7 members hacked thousands of businesses in the hospitality and restaurant industries, including Chipotle Mexican Grill, Chili’s and Arby’s. A bevy of the hacked companies acknowledged data breaches affecting millions of customers over roughly the past year and a half. Private security researchers have also issued a string of reports on FIN7's activities.
Officials said they tracked down the suspects and uncovered the hacking campaign by working closely with some of the targeted companies, as well as investigators from Mastercard and Visa, whose executives appeared alongside prosecutors in a news conference announcing the charges. While offering few specifics about the nature of that collaboration, officials said they would have had trouble bringing the case together without them. “The information shared by these companies has allowed the FBI to assist in protecting other potential victims and their networks from compromise,” FBI special agent Jay S. Tabb said.
The praise might have felt a bit contrived were it not for the magnitude of the cybercrime group’s alleged activities. From CyberScoop editor Greg Otto:
A lot of people roll their eyes when talk of "public-private partnerships" and "information sharing" comes up (i'm not immune from it, either), but in this case, hard to say anything but that both of those things were vital
— Greg Otto (@gregotto) August 1, 2018
Indeed, officials described a shockingly elaborate scheme. FIN7 members, said to number in the dozens, allegedly used email spearphishing techniques to trick employees into opening attachments containing malware. This allowed them to access computer systems and make off with credit card data, which they sold on the dark Web, according to the indictments.
In some instances, prosecutors said, FIN7 members sent malware-tainted Microsoft Word documents that were made to look like corporate filings with the U.S. Securities and Exchange Commission. Other spearphishing emails were said to contain malicious attachments disguised as catering orders or customer complaints. FIN7 members would even follow up with phone calls to make the emails appear legitimate, as Devlin reported. The defendants also allegedly used a sham computer security services company dubbed Combi Security to help recruit members. The company, headquartered in Russia and Israel, advertised penetration testing and other security services, prosecutors said. Some of the recruits may not have even realized they were doing illicit work, FireEye researchers said in a blog post Wednesday detailing their findings about FIN7. From FireEye’s Goody:
Threat actors have a long history of recruiting unwitting individuals as props to further their operations - FIN7 apparently did this via the front company Combi Security.
— Kimberly (@tiskimber) August 1, 2018
Others took note of how advanced the group's tactics were. From threat intelligence researcher Charles Gardner:
#FIN7 also excel at manipulating targets into opening exploit-laden documents. Whilst many threat actors do little beyond labeling documents as invoices, FIN7 have been known to prime targets by engaging directly via phone-calls before sending spear-phishing emails 4/n
— Charlie Gardner (@zcracga) August 2, 2018
And FireEye's chief security architect:
#FIN7 had some "fun" social engineering techniques:
— Christopher Glyer (@cglyer) August 1, 2018
1) Using web forms on a company's website to initiate contact and deliver a weaponized complaint document
2) Calling victim at store prior to sending phishing email
3) Following up with phone call after sending phishing email
Penetrating deeper into the criminal network will probably be challenging for investigators. For years, FIN7 has used cutting-edge technical tools to evade detection. “In terms of financially motivated threat groups, this is definitely one of the most sophisticated we’ve seen to date,” Goody told me. What’s more, some of its members may be operating out of adversarial countries, meaning it could be hard to coordinate with local authorities to make arrests or extraditions.
The case has been a heavy lift for U.S. authorities. Tabb, of the FBI, said the agency’s Seattle field office had devoted half of its “cyber resources” to the investigation. He added that it was “among the top three criminal computer intrusion cases that the FBI is working right now, in terms of loss, the number of victims, the global reach of it, and the size of the organization.” And there’s still more work to do.
“We are under no illusion that we’ve taken this down altogether,” U.S. Attorney Annette L. Hayes said in Wednesday’s news conference, “but we’ve made a significant impact.”
| You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news. | |
| Not a regular subscriber? | |
|
PINGED, PATCHED, PWNED
PINGED: A Democratic push to direct more money to secure election systems has failed. “Senate Republicans voted down a bid Wednesday to direct an extra $250 million toward election security in advance of the 2018 midterms, despite heightened warnings from intelligence officials that foreign governments will try to interfere in the contests and evidence that some lawmakers have already been targeted,” The Washington Post's Karoun Demirjian reported. Sen Bob Corker (R-Tenn.) was the only Republican to vote for Sen. Patrick J. Leahy's (D-Vt.) measure, according to my colleague. “The integrity of our elections, which are the foundation of our democracy, should not be a partisan issue,” Leahy said in a statement after his amendment failed. “It is unfortunate that the Senate has followed the same path as House Republicans in blocking the funding our states need to help upgrade their infrastructure and secure our elections.”
Several Republicans have questioned the need for increasing funds for election security given that lawmakers have already directed $380 million toward that goal this year, Karoun reported. “'It is far too early to add another quarter billion dollars . . . when we don’t know how the first $380 million has even been spent,' Sen. James Lankford (R-Okla.), a member of the Senate Intelligence Committee, said on the Senate floor Wednesday,” my colleague wrote.
PATCHED: Foreign influence operations through social media represent a threat that the Senate Intelligence Committee “takes every bit as seriously as terrorism, weapons of mass destruction, espionage and regional instability,” Sen. Richard Burr (R-N.C.), the panel's chairman, said Wednesday. Burr, who was speaking at the opening of a hearing that featured five experts, said foreign influence campaigns on social platforms are especially pernicious because they use “our own rights and freedoms to weaken our country from within.” Burr praised social media for helping connect people but added that “the integrity of our society” is at stake in the fight against online propaganda. “So how do you keep the good while getting rid of the bad?” he asked. “That's the fundamental question in front of this committee and in front of the American people. And it's a complex problem that intertwines First Amendment freedoms with corporate responsibility, government regulation and the right of innovators to prosper from their own work.”
Sen. Mark R. Warner (D-Va.), the committee's vice chairman, warned that the challenge that online influence operations embodies is “only going to get harder” and voiced concern about the government's readiness to tackle the issue. "These types of asymmetric attacks — which include foreign operatives appearing to be Americans, engaging in online public discourse — almost by design, slipped between the seams of our free speech guarantees and our legal authorities and responsibilities,” Warner said.
PWNED: Email correspondence dating back to 2011 and 2012 between a researcher who maintains a cybersecurity website and someone who went by Kate S. Milton provides some clues into the way Russian spies operate online, the Associated Press's Raphael Satter and Matthew Bodner reported on Wednesday. “The researcher — who works as a security engineer and runs the malware-sharing site on the side — always had a pretty good idea that Milton wasn’t who she said she was. Last month, she got confirmation via an FBI indictment,” Satter and Bodner wrote. “The indictment, made public on July 13, lifted the lid on the Russian hacking operation that targeted the 2016 U.S. presidential election. It identified 'Kate S. Milton' as an alias for military intelligence officer Ivan Yermakov, one of 12 Russian spies accused of breaking into the Democratic National Committee and publishing its emails in an attempt to influence the 2016 election.”
It's unclear if Yermakov was working for the Russian military intelligence agency GRU when he contacted the researcher, but their email conversations may have several possible explanations. “They might show that the GRU was trying to cultivate people in the information security community with an eye toward getting the latest exploits as soon as possible, said Cosimo Mortola, a threat intelligence analyst at the cybersecurity company FireEye,” according to the AP. Or, Yermakov may have been a freelance hacker back then and was seeking exploits before the GRU recruited him.
— More cybersecurity news:
PUBLIC KEY
— The disagreements between lawmakers and President Trump over ZTE ended with a win for the White House with the passage of a $716 billion defense authorization bill in the Senate on Wednesday, my colleague Karoun reported. Senators withdrew a measure that the White House opposed during negotiations to reconcile the House and Senate versions of the bill. “During the process, Senate negotiators agreed to stand down on a provision that would have undone a deal the Trump administration struck with Chinese telecom giant ZTE to ease penalties that were imposed on the firm for doing business with Iran and North Korea,” Karoun wrote. “The removal of that provision eased tensions with the White House but lost the bill the votes of at least one key figure in the Senate: Sen. Marco Rubio (R-Fla.), who argued on the Senate floor Wednesday that the threat ZTE poses to national security meant it was worth opposing the defense bill over the issue of the ZTE policy change.”
— More cybersecurity news from the public sector:
PRIVATE KEY
— Experts worry that a stream of headlines about big data breaches might “set a new normal and instill a sense of fatalism — and complacency — in consumers,” the New York Times reports. The phenomenon known as “breach fatigue” has long concerned researchers. “We may adjust to this being the ‘new normal,’ ” Steven Andrés, who teaches at the Fowler College of Business and homeland security program at San Diego State University, told the Times. “Digital natives and younger generations may perceive their personal data — in a distorted sense — to never have been private, so what’s the big deal with it leaking out on the web anyway?”
— More cybersecurity news from the private sector:
SECURITY FAILS
THE NEW WILD WEST
— A hacking group is targeting electric utilities in the United States but has not yet shown the ability to carry out “destructive” attacks against industrial control systems that could result in massive blackouts, according to a blog post from the cybersecurity firm Dragos. The group, which the company refers to as RASPITE, also has targets in the Middle East, Europe and East Asia and has been active since last year. “Dragos caught RASPITE early in its maturity which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them,” Sergio Caltagirone, director of threat intelligence at Dragos, said in a statement. He said the company does not attribute threats against industrial control systems to specific countries but added that they usually “are state-sponsored due to the inherent risk, limited financial gain, and potential blow back from the operations.”
— More cybersecurity news from abroad:
FOR THE N00BS
ZERO DAYBOOK
Coming soon
- Black Hat USA security conference on Aug. 8 through Aug. 9 in Las Vegas.
- DEF CON security conference on Aug. 9 through Aug. 12 in Las Vegas.
EASTER EGGS
Watch a man's dramatic escape from a raging Greek wildfire:
Four things to know about the QAnon conspiracy theory: