THE KEY

The Justice Department appears to have put a dent in the global cybercrime ring known as FIN7, or Carbanak Group.

Prosecutors said yesterday they arrested three senior members of the organization, which has targeted more than 100 U.S. businesses and stolen about 15 million credit card numbers in a long-running hacking campaign, as my colleague Devlin Barrett reported. The FBI arranged the arrests of the three suspects, all Ukrainian nationals, as they traveled outside their home country. They’re charged with more than two dozen counts including conspiracy, wire fraud, computer hacking, fraud and aggravated identity theft.

Officials acknowledge they’re still a long way from dismantling the criminal network entirely. But law enforcement and cybersecurity researchers are holding the case up as an example of the cooperation between government and private organizations they say is essential to thwart increasingly sophisticated cybercrime schemes.

“In the future we’re going to see more groups like this evolve. And in order to combat these operations, we’re going to have to work together to fight this threat,” said Kimberly Goody, manager of financial crime analysis at the FireEye, which has tracked FIN7 since 2015 and conducted intrusion investigations for numerous victim organizations.

Prosecutors said FIN7 members hacked thousands of businesses in the hospitality and restaurant industries, including Chipotle Mexican Grill, Chili’s and Arby’s. A bevy of the hacked companies acknowledged data breaches affecting millions of customers over roughly the past year and a half. Private security researchers have also issued a string of reports on FIN7's activities.

Officials said they tracked down the suspects and uncovered the hacking campaign by working closely with some of the targeted companies, as well as investigators from Mastercard and Visa, whose executives appeared alongside prosecutors in a news conference announcing the charges. While offering few specifics about the nature of that collaboration, officials said they would have had trouble bringing the case together without them. “The information shared by these companies has allowed the FBI to assist in protecting other potential victims and their networks from compromise,” FBI special agent Jay S. Tabb said.

The praise might have felt a bit contrived were it not for the magnitude of the cybercrime group’s alleged activities. From CyberScoop editor Greg Otto:

Indeed, officials described a shockingly elaborate scheme. FIN7 members, said to number in the dozens, allegedly used email spearphishing techniques to trick employees into opening attachments containing malware. This allowed them to access computer systems and make off with credit card data, which they sold on the dark Web, according to the indictments.

In some instances, prosecutors said, FIN7 members sent malware-tainted Microsoft Word documents that were made to look like corporate filings with the U.S. Securities and Exchange Commission. Other spearphishing emails were said to contain malicious attachments disguised as catering orders or customer complaints. FIN7 members would even follow up with phone calls to make the emails appear legitimate, as Devlin reported. The defendants also allegedly used a sham computer security services company dubbed Combi Security to help recruit members. The company, headquartered in Russia and Israel, advertised penetration testing and other security services, prosecutors said. Some of the recruits may not have even realized they were doing illicit work, FireEye researchers said in a blog post Wednesday detailing their findings about FIN7. From FireEye’s Goody:

Others took note of how advanced the group's tactics were. From threat intelligence researcher Charles Gardner:

Security researcher Daniel Cuthbert: 

And FireEye's chief security architect: 

Penetrating deeper into the criminal network will probably be challenging for investigators. For years, FIN7 has used cutting-edge technical tools to evade detection. “In terms of financially motivated threat groups, this is definitely one of the most sophisticated we’ve seen to date,” Goody told me. What’s more, some of its members may be operating out of adversarial countries, meaning it could be hard to coordinate with local authorities to make arrests or extraditions.

The case has been a heavy lift for U.S. authorities. Tabb, of the FBI, said the agency’s Seattle field office had devoted half of its “cyber resources” to the investigation. He added that it was “among the top three criminal computer intrusion cases that the FBI is working right now, in terms of loss, the number of victims, the global reach of it, and the size of the organization.” And there’s still more work to do.

“We are under no illusion that we’ve taken this down altogether,” U.S. Attorney Annette L. Hayes said in Wednesday’s news conference, “but we’ve made a significant impact.”

PINGED, PATCHED, PWNED

PINGED: A Democratic push to direct more money to secure election systems has failed. “Senate Republicans voted down a bid Wednesday to direct an extra $250 million toward election security in advance of the 2018 midterms, despite heightened warnings from intelligence officials that foreign governments will try to interfere in the contests and evidence that some lawmakers have already been targeted,” The Washington Post's Karoun Demirjian reported. Sen Bob Corker (R-Tenn.) was the only Republican to vote for Sen. Patrick J. Leahy's (D-Vt.) measure, according to my colleague. “The integrity of our elections, which are the foundation of our democracy, should not be a partisan issue,” Leahy said in a statement after his amendment failed. “It is unfortunate that the Senate has followed the same path as House Republicans in blocking the funding our states need to help upgrade their infrastructure and secure our elections.”

Several Republicans have questioned the need for increasing funds for election security given that lawmakers have already directed $380 million toward that goal this year, Karoun reported. “'It is far too early to add another quarter billion dollars . . . when we don’t know how the first $380 million has even been spent,' Sen. James Lankford (R-Okla.), a member of the Senate Intelligence Committee, said on the Senate floor Wednesday,” my colleague wrote.

PATCHED: Foreign influence operations through social media represent a threat that the Senate Intelligence Committee “takes every bit as seriously as terrorism, weapons of mass destruction, espionage and regional instability,” Sen. Richard Burr (R-N.C.), the panel's chairman, said Wednesday. Burr, who was speaking at the opening of a hearing that featured five experts, said foreign influence campaigns on social platforms are especially pernicious because they use “our own rights and freedoms to weaken our country from within.” Burr praised social media for helping connect people but added that “the integrity of our society” is at stake in the fight against online propaganda. “So how do you keep the good while getting rid of the bad?” he asked. “That's the fundamental question in front of this committee and in front of the American people. And it's a complex problem that intertwines First Amendment freedoms with corporate responsibility, government regulation and the right of innovators to prosper from their own work.”

Sen. Mark R. Warner (D-Va.), the committee's vice chairman, warned that the challenge that online influence operations embodies is “only going to get harder” and voiced concern about the government's readiness to tackle the issue. "These types of asymmetric attacks — which include foreign operatives appearing to be Americans, engaging in online public discourse — almost by design, slipped between the seams of our free speech guarantees and our legal authorities and responsibilities,” Warner said.

PWNED: Email correspondence dating back to 2011 and 2012 between a researcher who maintains a cybersecurity website and someone who went by Kate S. Milton provides some clues into the way Russian spies operate online, the Associated Press's Raphael Satter and Matthew Bodner reported on Wednesday. “The researcher — who works as a security engineer and runs the malware-sharing site on the side — always had a pretty good idea that Milton wasn’t who she said she was. Last month, she got confirmation via an FBI indictment,” Satter and Bodner wrote. “The indictment, made public on July 13, lifted the lid on the Russian hacking operation that targeted the 2016 U.S. presidential election. It identified 'Kate S. Milton' as an alias for military intelligence officer Ivan Yermakov, one of 12 Russian spies accused of breaking into the Democratic National Committee and publishing its emails in an attempt to influence the 2016 election.” 

It's unclear if Yermakov was working for the Russian military intelligence agency GRU when he contacted the researcher, but their email conversations may have several possible explanations. “They might show that the GRU was trying to cultivate people in the information security community with an eye toward getting the latest exploits as soon as possible, said Cosimo Mortola, a threat intelligence analyst at the cybersecurity company FireEye,” according to the AP. Or, Yermakov may have been a freelance hacker back then and was seeking exploits before the GRU recruited him.

— More cybersecurity news:

National Security
Analysts say Russian efforts to manipulate U.S. voters have grown more sophisticated and harder to detect.
Ellen Nakashima and Craig Timberg
Politics
The proposal comes as Trump has stepped up his attacks on the investigation.
Carol D. Leonnig
A Massachusetts man was convicted by a federal jury for attacking the computer network of a world-renowned hospital.
Associated Press
PUBLIC KEY

— The disagreements between lawmakers and President Trump over ZTE ended with a win for the White House with the passage of a $716 billion defense authorization bill in the Senate on Wednesday, my colleague Karoun reported. Senators withdrew a measure that the White House opposed during negotiations to reconcile the House and Senate versions of the bill. “During the process, Senate negotiators agreed to stand down on a provision that would have undone a deal the Trump administration struck with Chinese telecom giant ZTE to ease penalties that were imposed on the firm for doing business with Iran and North Korea,” Karoun wrote. “The removal of that provision eased tensions with the White House but lost the bill the votes of at least one key figure in the Senate: Sen. Marco Rubio (R-Fla.), who argued on the Senate floor Wednesday that the threat ZTE poses to national security meant it was worth opposing the defense bill over the issue of the ZTE policy change.”

— More cybersecurity news from the public sector:

The U.S. Congress is sending President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military.
Reuters
Documents obtained by Motherboard give insight into how hackers at CYBERCOM prepare before launching offensive cyber operations, including figuring out how likely an attack will be attributed back to them.
Motherboard
The Senate Intelligence Committee will question executives from Facebook and other social media companies on Sept. 5 to question them on their efforts to combat foreign influence operations on their platforms.
The Hill
National Security
As Trump tweets in defense of his former campaign chairman, trial speeds on.
Rachel Weiner, Justin Jouvenal, Rosalind S. Helderman and Devlin Barrett
PRIVATE KEY

— Experts worry that a stream of headlines about big data breaches might “set a new normal and instill a sense of fatalism — and complacency — in consumers,” the New York Times reports. The phenomenon known as “breach fatigue” has long concerned researchers. “We may adjust to this being the ‘new normal,’ ” Steven Andrés, who teaches at the Fowler College of Business and homeland security program at San Diego State University, told the Times. “Digital natives and younger generations may perceive their personal data — in a distorted sense — to never have been private, so what’s the big deal with it leaking out on the web anyway?”

— More cybersecurity news from the private sector:

Machine-learning techniques promise to make biometric data far more useful for intelligence gathering.
Defense One
Alex Stamos, Facebook’s chief security officer, is joining Stanford to teach and to examine the role of security and technology in society.
New York Times
SECURITY FAILS
The Switch
A ransomware attack infected Matanuska-Susitna's computers and email system, forcing officials to pull them offline.
Hamza Shaban
The Switch
A hacker broke into Reddit's computer systems in June, gaining access to the email addresses of some of its users and a database of usernames and user data from 2007.
Hamza Shaban
THE NEW WILD WEST

— A hacking group is targeting electric utilities in the United States but has not yet shown the ability to carry out “destructive” attacks against industrial control systems that could result in massive blackouts, according to a blog post from the cybersecurity firm Dragos. The group, which the company refers to as RASPITE, also has targets in the Middle East, Europe and East Asia and has been active since last year. “Dragos caught RASPITE early in its maturity which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them,” Sergio Caltagirone, director of threat intelligence at Dragos, said in a statement. He said the company does not attribute threats against industrial control systems to specific countries but added that they usually “are state-sponsored due to the inherent risk, limited financial gain, and potential blow back from the operations.”

— More cybersecurity news from abroad:

Beijing appointed a new director for its powerful internet regulator, elevating an official seen as an associate of President Xi Jinping to a post with censorship responsibilities and huge sway over tech companies.
Wall Street Journal
Southeast Asian nations hope to strike a joint agreement on cybersecurity in coming days with Russia, accused by the United States of meddling in its elections, after a series of high-profile hacks in the region.
Reuters
FOR THE N00BS
The Switch
Our tech columnist takes a first look at an app update that reports how much time you’re spending in Instagram and Facebook — and lets you set self-imposed daily limits.
Geoffrey Fowler
ZERO DAYBOOK

Coming soon

  • Black Hat USA security conference on Aug. 8 through Aug. 9 in Las Vegas.
  • DEF CON security conference on Aug. 9 through Aug. 12 in Las Vegas.
EASTER EGGS

Watch a man's dramatic escape from a raging Greek wildfire:

Multiple gunshots heard as Zimbabwe army open fires on opposition protesters:

Four things to know about the QAnon conspiracy theory: