Threat Actor Profile
FIN7
FIN7, also known as the Carbanak Group or Carbon Spider, is a financially motivated cybercrime group that has been active since approximately 2015. Originating from Eastern Europe, their operations focus heavily on the theft of payment card data via POS system compromises, ransomware deployment, and extortion tactics. Their evolving techniques and organizational structure set them apart as one of the most sophisticated cybercrime syndicates today.
Threat Actor Profile
FIN7
Country of Origin
While FIN7's operations are widely linked to individuals in Eastern Europe, particularly Ukraine and Russia, the exact nature of any state sponsorship remains unclear. Unlike state-backed advanced persistent threat (APT) groups, FIN7's activities are financially driven, with no direct evidential ties to government mandates.
Members
Exact membership counts for FIN7 are unknown, though evidence reveals a sophisticated structure mimicking that of legitimate organizations. Members fulfill various roles, such as developers, administrators, and recruiters, with performance-driven incentives. The group has disguised itself through front companies like Combi Security to recruit or mask their illicit operations.
Leadership
To date, specific names of FIN7's leadership remain elusive. Arrests of high-level operators, including several Ukrainian nationals in 2018, shed light on its hierarchical structure, but concrete details about its leadership remain classified or unknown.
FIN7 TTPs
Tactics
The group's primary goals center on financial gains through payment card theft and ransomware operations. Their targeting strategy often focuses on industries with POS systems or high volumes of credit/debit transactions, such as retail, hospitality, and restaurants.
Techniques
Their techniques include spear-phishing campaigns with tailored social engineering to gain initial access. These emails often disguise themselves as business-related correspondence and are sometimes followed by phone calls to increase credibility. They also employ malvertising campaigns, leveraging fake ads to attract victims, and use malware to infiltrate systems and conduct data exfiltration.
Procedures
FIN7 is known for deploying custom and adapted malware such as Carbanak, NetSupport RAT, POWERTRASH, and DICELOADER. They use these tools to escalate privileges, laterally move across networks, and target point-of-sale systems. Recently, they’ve evolved to conduct ransomware activities, where data theft and ransom demands combine to amplify financial extortion.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
Among their significant cyberattacks, the breaches between 2017 and 2018 targeting major food chains stand out, where extensive POS data was stolen. Since 2020, their shift toward ransomware operations and data extortion has caused devastating financial and reputational harm to numerous businesses.
Law Enforcement & Arrests
Law enforcement agencies, including the U.S. Department of Justice (DOJ), have made strides in tackling FIN7. Notable arrests include a series of apprehensions in 2018 targeting high-ranking operators. However, despite these efforts, FIN7 remains operational, indicating the group's resilience and decentralized structure.
How to Defend Against FIN7
Implement robust employee training on phishing recognition.
Segment networks to isolate critical systems, such as Point-of-Sale (POS) networks.
Maintain up-to-date Endpoint Detection and Response (EDR) tools.
Regularly patch vulnerabilities in software and systems.
Huntress's Managed Endpoint Detection and Response solutions can detect malware used by FIN7, monitor abnormal network behaviors, and strengthen defenses against phishing and other initial access techniques.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
