Feds arrest three in global cybercrime ring linked to hacks on Chipotle, Arby's and other US chains
The Justice Department appears to have put a dent in the global cybercrime ring known as FIN7, or Carbanak Group.
Prosecutors said Wednesday they arrested three senior members of the organization, which has targeted more than 100 U.S. businesses and stolen about 15 million credit card numbers in a long-running hacking campaign, as my colleague Devlin Barrett reported. The FBI arranged the arrests of the three suspects, all Ukrainian nationals, as they traveled outside their home country. They're charged with more than two dozen counts including conspiracy, wire fraud, computer hacking, fraud and aggravated identity theft.
Officials acknowledge they're still a long way from dismantling the criminal network entirely. But law enforcement and cybersecurity researchers are holding the case up as an example of the cooperation between government and private organizations they say is essential to thwart increasingly sophisticated cybercrime schemes.
"In the future we're going to see more groups like this evolve. And in order to combat these operations, we're going to have to work together to fight this threat," said Kimberly Goody, manager of financial crime analysis at the FireEye, which has tracked FIN7 since 2015 and conducted intrusion investigations for numerous victim organizations.
Prosecutors said FIN7 members hacked thousands of businesses in the hospitality and restaurant industries, including Chipotle Mexican Grill, Chili's and Arby's. A bevy of the hacked companies acknowledged data breaches affecting millions of customers over roughly the past year and a half. Private security researchers have also issued a string of reports on FIN7's activities.
Officials said they tracked down the suspects and uncovered the hacking campaign by working closely with some of the targeted companies, as well as investigators from MasterCard and Visa, whose executives appeared alongside prosecutors in a news conference announcing the charges. While offering few specifics about the nature of that collaboration, officials said they would have had trouble bringing the case together without them. "The information shared by these companies has allowed the FBI to assist in protecting other potential victims and their networks from compromise," FBI special agent Jay S. Tabb said.
The praise might have felt a bit contrived were it not for the magnitude of the cybercrime group's alleged activities. From CyberScoop editor Greg Otto, who tweeted "A lot of people roll their eyes when talk of 'public-private partnerships' and 'information sharing' comes up (i'm not immune from it, either), but in this case, hard to say anything but that both of those things were vital"
Indeed, officials described a shockingly elaborate scheme. FIN7 members, said to number in the dozens, allegedly used email spearphishing techniques to trick employees into opening attachments containing malware. This allowed them to access computer systems and make off with credit card data, which they sold on the dark Web, according to the indictments.
In some instances, prosecutors said, FIN7 members sent malware-tainted Microsoft Word documents that were made to look like corporate filings with the U.S. Securities and Exchange Commission.
Other spearphishing emails were said to contain malicious attachments disguised as catering orders or customer complaints. FIN7 members would even follow up with phone calls to make the emails appear legitimate, as Devlin reported. The defendants also allegedly used a sham computer security services company dubbed Combi Security to help recruit members.
The company, headquartered in Russia and Israel, advertised penetration testing and other security services, prosecutors said. Some of the recruits may not have even realized they were doing illicit work, FireEye researchers said in a blog post Wednesday detailing their findings about FIN7. From FireEye's Goody, who tweeted "Threat actors have a long history of recruiting unwitting individuals as props to further their operations - FIN7 apparently did this via the front company Combi Security."
Others took note of how advanced the group's tactics were. From threat intelligence researcher Charles Gardner, who tweeted "#FIN7 also excel at manipulating targets into opening exploit-laden documents. Whilst many threat actors do little beyond labeling documents as invoices, FIN7 have been known to prime targets by engaging directly via phone-calls before sending spear-phishing emails 4/n"
Security researcher Daniel Cuthbert tweeted "The FIN7 crew have shown some truly innovative skills never seen before in criminal groups. Their approach to targeting, obsfucation (fog of war tactics) and exfil has been noteworthy. Good write up by the FireEye team."
And FireEye's chief security architect Christopher Glyer tweeted "#FIN7 had some 'fun' social engineering techniques:
"1) Using web forms on a company's website to initiate contact and deliver a weaponized complaint document
"2) Calling victim at store prior to sending phishing email
"3) Following up with phone call after sending phishing email"
Penetrating deeper into the criminal network will probably be challenging for investigators. For years, FIN7 has used cutting-edge technical tools to evade detection. "In terms of financially motivated threat groups, this is definitely one of the most sophisticated we've seen to date," Goody told me. What's more, some of its members may be operating out of adversarial countries, meaning it could be hard to coordinate with local authorities to make arrests or extraditions.
The case has been a heavy lift for U.S. authorities. Tabb, of the FBI, said the agency's Seattle field office had devoted half of its "cyber resources" to the investigation. He added that it was "among the top three criminal computer intrusion cases that the FBI is working right now, in terms of loss, the number of victims, the global reach of it, and the size of the organization." And there's still more work to do.
"We are under no illusion that we've taken this down altogether," U.S. Attorney Annette L. Hayes said in Wednesday's news conference, "but we've made a significant impact."