• ORNA

Cyber Heists and FIN7 Hackers

It goes without saying how risky bank heists are. But the days of Bonnie and Clyde and the infamous case of the Scarecrow Bandits in recent history are ostensibly tapering off. That’s because cybercriminals and the tools they use continue to proliferate, giving rise to sophisticated cyber heists driven by a strong wind of desire to make fast, easy money.


Monumental high-tech thefts such as the Bangladesh Bank Cyber Heist of 2016 where hackers accessed the SWIFT network and transferred nearly $1 billion USD from the Federal Reserve Bank of New York from an account belonging to Bangladesh Bank may come to mind. This was the largest cyber bank heist in history.


Let’s not forget the largest cryptocurrency heist in recent history, which was a fiasco, with confusing twists and turns. Back in August 2021, a hacker managed to exploit a bug in the Poly Network and hijacked about $600 million USD.


Last but not least, Alberto Gonzales, who was arrested on May 7, 2008, supposedly masterminded the theft and reselling of more than 170 million credit card and ATM numbers, the biggest fraud operation in history. His conviction carries a historic element that exceeds the mere volume of stolen card data. He is the first hacker in history to receive a 20-year sentence.


High-Level Ukrainian FIN7 Hacker Sentenced


While not on par with the aforementioned historic cases, on April 7th, a Ukrainian man was sentenced to serve 5 years in prison for his role in the notorious Russian APT hacking group FIN7. Initially, Denys Larmak, 32, was apprehended in Bangkok, Thailand in November 2019 and was extradited to the United States for prosecution.


Denys Larmak has now become the third FIN7 member to be sentenced in the United States. Preceding his sentencing back on April 16, 2011, FIN7 fellow member Fedir Hladyr received a sentence of 10 years in prison, and on June 24, 2021, Andrii Kolkpakov received a seven-year prison term.


The reach of FIN7 was incredibly broad. The group managed to compromise a slew of business networks associated with a variety of food chains across several countries, according to public disclosures of compromised entities. This included attacks that encompassed every state in America, where over 20 million credit card records were compromised from over 6,500 individual point-of-sale terminals involving 3,600 businesses.


Court documents in connection to the case calculated the amount in damages to protected computer systems exceeding $1 billion dollars. A staggering amount, to say the least.


U.S. Attorney Nicholas W. Brown of the Western District of Washington remarked that some of the methods Larmak used were facilitated distributed phishing emails that were embedded with malicious code, which in turn, allowed him to gain access to the networks of his victims, and extract payment information. This enabled him, along with his compatriots to basically steal from thousands of locations of restaurant chains while being safely hidden away in their own countries.


“This cyber-criminal probed and mapped victims’ networks searching for data to exploit,” said Special Agent M. Voiret, who is stationed in the FBI’s Seattle Field Office. Additionally, he explained how the cybercriminal enterprise masqueraded as a legitimate business. They recruited others to collaborate and help facilitate their objectives. “Thanks to the hard work of law enforcement, this defendant, who is responsible for an enormous loss amount, will be spending the next few years in prison,” he said.


Methods of Growth


Since no hacking group is cut from the same cloth, each individual group that comes into existence finds its form through different means, depending on their ideology as expressed through their modus operandi.


I recall when I first started my own group over a decade ago, my goal wasn’t to accumulate numbers so much as it was acquiring a small handful of highly skilled hackers apt in web exploitation.


The rest of my roster could perform menial tasks like finding warez, scouring the web for software cracks and serial keys, and performing a variety of scans. Even if I purged the roster, we only ever needed two, or three highly skilled attackers.


But with any criminal enterprise that is able to reap a bountiful harvest, expansion is necessary to accommodate the demand and the volume of the return.

According to a report from Mandiant, the American cybersecurity firm, they were able to piece together details about the operations of FIN7, such as their use of new hacking tools, as well as the growth of the hacking group.


Mandiant also claimed that the group was bringing together several other hacking teams, designated as “Uncategorized” threats, under the FIN7 banner, forming a conglomerate, which has been tied to ransomware implementers. Some of the ransomware might be familiar: REvil, Darkside, Blackmatter, ALPHV.


Gathering other online entities together under the same flag is rather common. Some of my own members were responsible for cultivating diplomatic relationships with other groups, so we could pool resources, strengthen our ranks, and accomplish feats that required more manpower.


Mandiant estimated that FIN7 had gathered 17 “Uncategorized” teams. This, in turn, also served the purpose of obfuscating the activities of the core members, since it introduced a plethora of auxiliary techniques, tools, and methodologies employed by non FIN7 members.

Now with the third member of FIN7 having been sentenced, the future of this advanced persistent threat actor remains uncertain.


An article by

Jesse McGraw


Edited by

Ana Alexandre


82 views
Screen Shot 2022-06-13 at 4.57.16 PM.png

Detect, respond, prevent and SOAR with ORNA

Subscribe

Weekly cyber insights

Thanks for submitting!