"FIN10" Cybercrime Group Extorts Canadian Firms
16.6.2017 securityweek CyberCrime
A profit-driven cybercrime group tracked as FIN10 has been running an extortion operation mainly targeting organizations in North America, security firm FireEye reported on Friday.
A majority of the FIN10 attacks observed by FireEye have been aimed at mining companies and casinos in Canada. The hackers breached the targeted organization’s systems, obtained valuable data, and threatened to make it public unless a ransom was paid. Victims that refused to pay up had their data published online and their systems disrupted.
FIN10 has been around since as early as 2013 and its activities have continued through at least 2016. The first phase of its attacks has, at least in some cases, involved spear-phishing emails carrying links to servers controlled by the cybercrooks. The phishing emails were apparently crafted using data obtained from LinkedIn and other sources.
The early stage tools used by the attackers included software such as Meterpreter, the Splinter remote access trojan (RAT), and PowerShell-based utilities, including ones written by the hackers themselves.
The attackers then used compromised credentials, the Windows RDP service and tools such as Splinter RAT, PowerShell Empire and Meterpreter to maintain persistence and move laterally within the victim’s network. Their goal was to steal corporate business data, including correspondence and customer PII, which they could use to extort the victim.
Organizations that refused to pay had their data leaked and their systems and networks were often disrupted via batch scripts designed to delete critical files.
Victims were asked to pay between 100 and 500 bitcoins, which are worth hundreds of thousands of dollars. FireEye told SecurityWeek that some of the victims gave in to the extortion demands.
FIN10 has carried out its attacks claiming to represent various hacker groups, particularly hacktivists. In one operation they claimed to be a Russian group called “Angels_Of_Truth” and told their victim that the attack was carried out in response to Canada’s economic sanctions on Russia. Researchers determined, however, that the posts in Russian were likely written using online translation tools and not by a native speaker.
DataBreaches.net reported in June 2015 that a group calling itself “Angels_Of_Truth,” claiming to be from Russia, breached the systems of Canada-based intermediate gold producer Detour Gold Corporation. At the time, the hackers leaked personal information of employees and customers, salary information, confidential deals, donation records, medical records, legal documents, invoices, performance reviews and other data.
In other attacks, the hackers claimed to represent “Tesla Team,” a Serbian hacktivist group. In one operation, the group introduced itself as Tesla Team, but later changed its name to “Anonymous Threat Agent.”
In order to increase their chances of making the victim pay the ransom, FIN10 sent emails to staff and board members of the targeted organization. The group also informed the media about its breaches, either to put pressure on the victim or to maximize the exposure of those who refused to pay, FireEye said.
Researchers believe that FIN10’s focus on North America could suggest the attacker’s familiarity with this region.
“The relative degree of operational success enjoyed by FIN10 makes it highly probable the group will continue to conduct similar extortion-based campaigns at least in the near term. Notably, we already have some evidence to suggest FIN10 has targeted additional victims beyond currently confirmed targets,” FireEye said in its report. “Furthermore, while FIN10 is predominantly financially motivated, as evidenced by its preferred monetization technique (i.e., extortion), it is plausible the group is also motivated, at least in part, by ego.”