A third member of the FIN7 cybercrime gang has been sentenced for his role in a scheme that targeted hundreds of companies with payment data stealing malware. Denys Iarmak, 32, who served as a “pen tester” for the group, was sentenced to five years in prison for his crimes, the US Department of Justice (DoJ) announced in a press release yesterday (April 7).

Iarmak was arrested in Bangkok in 2019 at the request of US law enforcement. He is the third member to have been sentenced after Fedir Hladyr and Andrii Kolpakov were imprisoned in 2021 for 10 years and seven years, respectively.

In a near decade-long, financially motivated hacking campaign, FIN7 is said to have breached the computer networks of businesses in all 50 US states and the District of Columbia, stealing more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.

According to court documents, victims incurred enormous costs exceeding $1 billion. Retailers that have publicly disclosed hacks attributable to FIN7 include the restaurant chains Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.Additional intrusions occurred abroad, including in the UK, Australia, and France, said the DoJ.

Retail targets

FIN7, also referred to as ‘Carbanak Group’ and the ‘Navigator Group’, has been active since 2013, deploying sophisticated malware to hundreds of organizations, predominantly in the restaurant, gambling, and hospitality industries. The DoJ said that the group notably hacked into thousands of computer systems and stole millions of customer credit and debit card numbers that were then used or sold for profit.

Its main method of compromise was via phishing attacks, tricking employees into downloading a malicious file containing an adapted version of the Carbanak malware, which would steal customer payment card data. “Since 2015, many of the stolen payment card numbers have been offered for sale through online underground marketplaces,” explained the DoJ.

 

Active Threat Group

A team of threat analysts at Mandiant who have been tracking the cybercrime cell noted earlier this month that while prosecutions for members have continues, the threat group shows no signs of disbanding.

In January 2022, the analysts said eight previously suspected uncategorized (UNC) hacking groups were merged into FIN7. “To date, we suspect 17 additional UNCs of being affiliated with FIN7 with varying levels of confidence; however, those groups have not been formally merged into FIN7,” Mandiant said. The threat intel group’s latest FIN7 report also highlights notable shifts in the group’s activity over time, including the use of novel malware, incorporation of new initial access vectors, and shift in monetization strategies.

Bryce Abdo, senior analyst at Mandiant, told The Daily Swig: “In years leading up to 2019, FIN7’s goal was the clear-cut targeting and stealing of organizations’ payment card data. Since then, our holdings show that FIN7 has shifted away from targeting that data.

“In multiple cases leading up to late 2021, FIN7 actors had access to victim networks without deploying any credit card theft malware, or targeting servers holding that data. “FIN7s path forward is likely a combination of relationships with ransomware operators and affiliates, in conjunction with extortion using stolen data as leverage. This assessment is based on FIN7 relationships in the past with MAZE, DARKSIDE, ALPHV, where the dual threat of data theft preceding ransomware deployment is common.”

 

Hidden Tracks

Jamie Collier, senior threat intelligence advisor at Mandiant, told The Daily Swig that tracking the cell has become harder and harder due to the variety of groups now working together and collaborating as affiliates.

Collier said: “This can muddle attribution and make it unclear where one group ends and another starts and is a key challenge facing law enforcement. “There is a big difference between building high confidence in tracking and attributing threat actors for the purposes of network defense, compared to the further level of attribution then required to confirm the identity of individuals involved.“This typically requires much more far-reaching capabilities which is why these sorts of things are often done by government law enforcement.”