The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Feds arrest three in global cybercrime ring linked to hacks on Chipotle, Arby's and other U.S. chains

with Bastien Inzaurralde


The Justice Department appears to have put a dent in the global cybercrime ring known as FIN7, or Carbanak Group.

Prosecutors said yesterday they arrested three senior members of the organization, which has targeted more than 100 U.S. businesses and stolen about 15 million credit card numbers in a long-running hacking campaign, as my colleague Devlin Barrett reported. The FBI arranged the arrests of the three suspects, all Ukrainian nationals, as they traveled outside their home country. They’re charged with more than two dozen counts including conspiracy, wire fraud, computer hacking, fraud and aggravated identity theft.

Officials acknowledge they’re still a long way from dismantling the criminal network entirely. But law enforcement and cybersecurity researchers are holding the case up as an example of the cooperation between government and private organizations they say is essential to thwart increasingly sophisticated cybercrime schemes.

“In the future we’re going to see more groups like this evolve. And in order to combat these operations, we’re going to have to work together to fight this threat,” said Kimberly Goody, manager of financial crime analysis at the FireEye, which has tracked FIN7 since 2015 and conducted intrusion investigations for numerous victim organizations.

Prosecutors said FIN7 members hacked thousands of businesses in the hospitality and restaurant industries, including Chipotle Mexican Grill, Chili’s and Arby’s. A bevy of the hacked companies acknowledged data breaches affecting millions of customers over roughly the past year and a half. Private security researchers have also issued a string of reports on FIN7's activities.

Officials said they tracked down the suspects and uncovered the hacking campaign by working closely with some of the targeted companies, as well as investigators from Mastercard and Visa, whose executives appeared alongside prosecutors in a news conference announcing the charges. While offering few specifics about the nature of that collaboration, officials said they would have had trouble bringing the case together without them. “The information shared by these companies has allowed the FBI to assist in protecting other potential victims and their networks from compromise,” FBI special agent Jay S. Tabb said.

The praise might have felt a bit contrived were it not for the magnitude of the cybercrime group’s alleged activities. From CyberScoop editor Greg Otto:

Indeed, officials described a shockingly elaborate scheme. FIN7 members, said to number in the dozens, allegedly used email spearphishing techniques to trick employees into opening attachments containing malware. This allowed them to access computer systems and make off with credit card data, which they sold on the dark Web, according to the indictments.

In some instances, prosecutors said, FIN7 members sent malware-tainted Microsoft Word documents that were made to look like corporate filings with the U.S. Securities and Exchange Commission. Other spearphishing emails were said to contain malicious attachments disguised as catering orders or customer complaints. FIN7 members would even follow up with phone calls to make the emails appear legitimate, as Devlin reported. The defendants also allegedly used a sham computer security services company dubbed Combi Security to help recruit members. The company, headquartered in Russia and Israel, advertised penetration testing and other security services, prosecutors said. Some of the recruits may not have even realized they were doing illicit work, FireEye researchers said in a blog post Wednesday detailing their findings about FIN7. From FireEye’s Goody:

Others took note of how advanced the group's tactics were. From threat intelligence researcher Charles Gardner:

And FireEye's chief security architect: 

Penetrating deeper into the criminal network will probably be challenging for investigators. For years, FIN7 has used cutting-edge technical tools to evade detection. “In terms of financially motivated threat groups, this is definitely one of the most sophisticated we’ve seen to date,” Goody told me. What’s more, some of its members may be operating out of adversarial countries, meaning it could be hard to coordinate with local authorities to make arrests or extraditions.

The case has been a heavy lift for U.S. authorities. Tabb, of the FBI, said the agency’s Seattle field office had devoted half of its “cyber resources” to the investigation. He added that it was “among the top three criminal computer intrusion cases that the FBI is working right now, in terms of loss, the number of victims, the global reach of it, and the size of the organization.” And there’s still more work to do.

“We are under no illusion that we’ve taken this down altogether,” U.S. Attorney Annette L. Hayes said in Wednesday’s news conference, “but we’ve made a significant impact.”


PINGED: A Democratic push to direct more money to secure election systems has failed. “Senate Republicans voted down a bid Wednesday to direct an extra $250 million toward election security in advance of the 2018 midterms, despite heightened warnings from intelligence officials that foreign governments will try to interfere in the contests and evidence that some lawmakers have already been targeted,” The Washington Post's Karoun Demirjian reported. Sen Bob Corker (R-Tenn.) was the only Republican to vote for Sen. Patrick J. Leahy's (D-Vt.) measure, according to my colleague. “The integrity of our elections, which are the foundation of our democracy, should not be a partisan issue,” Leahy said in a statement after his amendment failed. “It is unfortunate that the Senate has followed the same path as House Republicans in blocking the funding our states need to help upgrade their infrastructure and secure our elections.”

Several Republicans have questioned the need for increasing funds for election security given that lawmakers have already directed $380 million toward that goal this year, Karoun reported. “'It is far too early to add another quarter billion dollars . . . when we don’t know how the first $380 million has even been spent,' Sen. James Lankford (R-Okla.), a member of the Senate Intelligence Committee, said on the Senate floor Wednesday,” my colleague wrote.

During a Senate hearing on the use of social media for foreign interference, senators called out Russia's ongoing social media manipulation campaigns. (Video: Jenny Starrs/The Washington Post)

PATCHED: Foreign influence operations through social media represent a threat that the Senate Intelligence Committee “takes every bit as seriously as terrorism, weapons of mass destruction, espionage and regional instability,” Sen. Richard Burr (R-N.C.), the panel's chairman, said Wednesday. Burr, who was speaking at the opening of a hearing that featured five experts, said foreign influence campaigns on social platforms are especially pernicious because they use “our own rights and freedoms to weaken our country from within.” Burr praised social media for helping connect people but added that “the integrity of our society” is at stake in the fight against online propaganda. “So how do you keep the good while getting rid of the bad?” he asked. “That's the fundamental question in front of this committee and in front of the American people. And it's a complex problem that intertwines First Amendment freedoms with corporate responsibility, government regulation and the right of innovators to prosper from their own work.”

Sen. Mark R. Warner (D-Va.), the committee's vice chairman, warned that the challenge that online influence operations embodies is “only going to get harder” and voiced concern about the government's readiness to tackle the issue. "These types of asymmetric attacks — which include foreign operatives appearing to be Americans, engaging in online public discourse — almost by design, slipped between the seams of our free speech guarantees and our legal authorities and responsibilities,” Warner said.

PWNED: Email correspondence dating back to 2011 and 2012 between a researcher who maintains a cybersecurity website and someone who went by Kate S. Milton provides some clues into the way Russian spies operate online, the Associated Press's Raphael Satter and Matthew Bodner reported on Wednesday. “The researcher — who works as a security engineer and runs the malware-sharing site on the side — always had a pretty good idea that Milton wasn’t who she said she was. Last month, she got confirmation via an FBI indictment,” Satter and Bodner wrote. “The indictment, made public on July 13, lifted the lid on the Russian hacking operation that targeted the 2016 U.S. presidential election. It identified 'Kate S. Milton' as an alias for military intelligence officer Ivan Yermakov, one of 12 Russian spies accused of breaking into the Democratic National Committee and publishing its emails in an attempt to influence the 2016 election.” 

It's unclear if Yermakov was working for the Russian military intelligence agency GRU when he contacted the researcher, but their email conversations may have several possible explanations. “They might show that the GRU was trying to cultivate people in the information security community with an eye toward getting the latest exploits as soon as possible, said Cosimo Mortola, a threat intelligence analyst at the cybersecurity company FireEye,” according to the AP. Or, Yermakov may have been a freelance hacker back then and was seeking exploits before the GRU recruited him.

— More cybersecurity news:

As midterm elections approach, a growing concern that the nation is not protected from Russian interference (Ellen Nakashima and Craig Timberg)

The moment when Facebook’s removal of alleged Russian disinformation became a free speech issue (Tony Romm, Elizabeth Dwoskin and Eli Rosenberg)

Mueller offers to limit investigators’ questions for Trump in special counsel’s latest effort to secure presidential interview (Carol D. Leonnig)

Man convicted for hacking hospital computer network (Associated Press)


— The disagreements between lawmakers and President Trump over ZTE ended with a win for the White House with the passage of a $716 billion defense authorization bill in the Senate on Wednesday, my colleague Karoun reported. Senators withdrew a measure that the White House opposed during negotiations to reconcile the House and Senate versions of the bill. “During the process, Senate negotiators agreed to stand down on a provision that would have undone a deal the Trump administration struck with Chinese telecom giant ZTE to ease penalties that were imposed on the firm for doing business with Iran and North Korea,” Karoun wrote. “The removal of that provision eased tensions with the White House but lost the bill the votes of at least one key figure in the Senate: Sen. Marco Rubio (R-Fla.), who argued on the Senate floor Wednesday that the threat ZTE poses to national security meant it was worth opposing the defense bill over the issue of the ZTE policy change.”

— More cybersecurity news from the public sector:

U.S. Congress passes bill forcing tech companies to disclose foreign software probes (Reuters)

How US Military Hackers Prepared to Hack the Islamic State (Motherboard)

Facebook to face Senate Intel questions following revelation of new disinformation campaign (The Hill)

Manafort jury hears of lavish spending on luxury clothes (Rachel Weiner, Justin Jouvenal, Rosalind S. Helderman and Devlin Barrett)


— Experts worry that a stream of headlines about big data breaches might “set a new normal and instill a sense of fatalism — and complacency — in consumers,” the New York Times reports. The phenomenon known as “breach fatigue” has long concerned researchers. “We may adjust to this being the ‘new normal,’ ” Steven Andrés, who teaches at the Fowler College of Business and homeland security program at San Diego State University, told the Times. “Digital natives and younger generations may perceive their personal data — in a distorted sense — to never have been private, so what’s the big deal with it leaking out on the web anyway?”

— More cybersecurity news from the private sector:

Surveillance Cameras Will Soon Divine Your Personality from Eye Movements (Defense One)

Facebook’s Security Chief to Depart for Stanford University (New York Times)


An Alaskan borough turns to typewriters and handwriting after its computers were hacked (Hamza Shaban)

Reddit was hacked. Here’s how to learn if you were affected. (Hamza Shaban)


— A hacking group is targeting electric utilities in the United States but has not yet shown the ability to carry out “destructive” attacks against industrial control systems that could result in massive blackouts, according to a blog post from the cybersecurity firm Dragos. The group, which the company refers to as RASPITE, also has targets in the Middle East, Europe and East Asia and has been active since last year. “Dragos caught RASPITE early in its maturity which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them,” Sergio Caltagirone, director of threat intelligence at Dragos, said in a statement. He said the company does not attribute threats against industrial control systems to specific countries but added that they usually “are state-sponsored due to the inherent risk, limited financial gain, and potential blow back from the operations.”

— More cybersecurity news from abroad:

China Names New Internet Overseer (Wall Street Journal)

Southeast Asia seek cybersecurity deal with Russia after series of hacks (Reuters)

A new app update reports how much time you’re spending in Instagram and Facebook — and lets you set self-imposed daily limits. (Video: Facebook)

Addicted to Facebook and Instagram? Now they’ll tell you how much time you spend liking and double tapping (Geoffrey Fowler)

New Chrome Extension Alerts Users to Hacked Sites (Dark Reading)


Coming soon

  • Black Hat USA security conference on Aug. 8 through Aug. 9 in Las Vegas.
  • DEF CON security conference on Aug. 9 through Aug. 12 in Las Vegas.

Watch a man's dramatic escape from a raging Greek wildfire:

Konstantinos Gkikas, a resident of Mati, Greece, captured an inferno July 29, that rapidly surrounded his home. Gkikas escaped the blaze with no injuries. (Video: The Washington Post)

Four things to know about the QAnon conspiracy theory:

During President Trump’s rally on July 31, several attendees held or wore signs with the letter “Q.” Here’s what the QAnon conspiracy theory is about. (Video: Amber Ferguson/The Washington Post)