Three key players in the infamous FIN7 cybercriminal organization that since 2015 has specialized in stealing payment card and financial data from hacked businesses around the world have been arrested and charged in one of the largest FBI cyber investigations of its kind, U.S. Department of Justice officials announced today.
The trio of suspects, all from Ukraine, allegedly held important positions within FIN7, aka the Carbanak Group, and engaged in a long-running campaign which saw 15 million payment card numbers stolen from more than 3,600 business locations across the U.S. alone, resulting in the loss of tens of millions of dollars. A federal indictment filed against all three was unsealed today.
In a press conference held today in the DOJ's Western Washington office headquarters in Seattle, federal authorities identified the defendants as Fedir Hladyr, 33, Dmytro Fedorov, 44, and Andrii Kolpakov, 30.
Hladyr, described by the DOJ as a systems administrator serving a managerial role, was arrested in Germany in January 2018 and has since been detained in Seattle where he awaits trial on Oct. 22. Fedorov, whom authorities characterized as a "high-level hacker" who supervised network breach operations, was separately rounded up in Poland last January. Kolpakov, another alleged hacker supervisor, was taken into custody in Spain last June. Federov and Kolpakov remain in Europe for now, pending extradition to the U.S.
The accused each face 26 charges, including conspiracy to commit wire and bank fraud, wire fraud, conspiracy to commit computing hacking, accessing a protected computer in furtherance of fraud, access device fraud, and aggravated identity theft. Fielding questions at the press conference, U.S. Attorney Annette Hayes for the Western District of Washington said that the three men could potentially be facing decades in prison if convicted.
According to the DOJ, FIN7 has attacked more than 100 U.S. companies since 2015, particularly those operating in the restaurant, gaming and hospitality industries. Prominent targets include businesses that facilitate large numbers of point-of-sale transactions, such as Chipotle Mexican Grill, Chili's, Sonic Drive-In, Arby's, Red Robin and Jason's Deli, as well as the Emerald Queen Casino in Tacoma, which is within Hayes' jurisdiction. The group has also been fingered for attacks against international companies as well as in countries like the UK, France and Australia.
The DOJ said that as part of a typical phishing campaign against such targets, FIN7 actors would send employees phishing emails purporting to contain prospective catering orders or reservations. The attackers would even follow up these communications with telephone calls, all in an effort to coax their targeting into opening the accompanying email attachment. But doing so would unleash malware allowing FIN7 to access that company's network, conduct surveillance, capture credentials and steal customer payment data from connected point-of-sale systems. (In particular, FIN7 is associated with the malware programs known as Carberp, Anunak and Carbanak.)
“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the dark net,” said Assistant Attorney General Brian Benczkowski, in a press release.
The unsealed indictments also attest that the alleged co-conspirators attempted to disguise their activities by creating a seemingly credible front company called Combi Security, which supposedly operated as a pen-testing company in Russia and Israel. "Under the guise of a legitimate company security company, FIN7, doing business as Combi Security, recruited individuals with computer programming skills, falsely claiming that the prospective employees would be engaged in legitimate pen-testing of client computer networks," Hladyr's indictment states. "In truth and in fact, as Defendant and his FIN7 co-conspirators well knew, Combi Security was a front company used to hire and deploy hackers who were given tasks in furtherance of the FIN7 conspiracy."
“The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise,” said FBI Special Agent in Charge Jay Tabb in the release. “As the lead federal agency for cyberattack investigations, the FBI will continue to work with its law enforcement partners worldwide to pursue the members of this devious group, and hold them accountable for stealing from American businesses and individuals.”
Tabb also told reporters at the conference the FIN7 investigation, which remains ongoing, is the "largest, or certainly among the top three criminal computer intrusion cases that the FBI is working right now in terms of loss, the number of victims," and "the global reach of it."
“Cybercriminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong," said Hayes in the DOJ release." We will continue our longstanding work with partners around the world to ensure cybercriminals are identified and held to account for the harm that they do – both to our pocketbooks and our ability to rely on the cyber networks we use.”
Last March, Europol separately announced the arrest in Spain of the mastermind behind organized Carbanak and Cobalt malware attacks dating as far back as 2013.
"It remains to be seen if the arrested individuals were involved in intrusion operations or were responsible for money laundering of illicit profits; however, given the timing I am very confident that the indicted individuals were associated with the Carbanak mastermind who was arrested in Spain in March of this year," said Andrei Barysevich, director of advanced collection at Recorded Future, in comments sent to SC Media. "The full effect of the latest development remains to be seen, but it is evident that the authorities are getting closer to the full dismantlement of the group."
"These recent announcements by U.S. law enforcement highlight the positive impact that can result from synergy between private and public sector organizations in disrupting organized cybercrime operations," stated FireEye researchers in a blog post analyzing FIN7's tactics in light of the DOJ's announcement. "As demonstrated by FIN7, financially-motivated threat actors are becoming extremely advanced and are capable of inflicting significant harm on organizations through vast, but carefully orchestrated campaigns. As sophisticated threat groups continue to emerge, partnerships, such as those exhibited here, will almost certainly play a key role in combating these threats."