Is This Fini for Fin7? (probably not)

Yesterday the Department of Justice announced that it had arrested three Ukrainian nationals — Dmytro Fedorov, Fedir Hladyr, and Andrii Kopakov. At first blush the announcement falls well short of generating the kind of attention that would stem from announcing the arrest of Al Capone or some other legendary crime figure. However, viewed in terms of the amount of money illegally gained through criminal acts, Al Capone actually is a bit of a piker compared to Messrs. Fedorov, Hladyr, and Kopakov. These three fellows were key players in Fin7, one of the most sophisticated and successful hacking groups yet identified.


By some estimates, Fin7 has pilfered more than a billion dollars from companies around the world, including more than 100 companies In the U.S. alone. Its victims were primarily from the restaurant, gaming and hospitality industries, including such notables as Chipotle, Arby’s, Chili’s, and Red Robin.


How did they manage to be so successful? Well, as usual, they relied on the weakness of human behavior through well considered phishing schemes. FIN7 typically launched its cyberattacks through an email to a company employee. Each email included an attached file, with embedded malware. The text of the email offered what seemed to be a legitimate business related message aimed at getting an employee to open the attachment and activate the malware.


How legitimate did these fishing schemes seem? See for yourself. As reported in Wired:   “On or around March 27 of last year, an employee at a Red Robin Gourmet Burgers and Brews received an email from The note complained about a recent experience; it urged the recipient to open the attachment for further details. They did. Within days, Fin7 had mapped Red Robin’s internal network. Within a week, it had obtained a username and password for the restaurant’s point-of-sale software management tool. And inside of two weeks, a Fin7 member allegedly uploaded a file containing hundreds of usernames and passwords for 798 Red Robin locations, along with “network information, telephone communications, and locations of alarm panels within restaurants,” according to the DoJ.”


If there’s a lesson in this little story, beyond the obvious cyber crime pays handsomely until it doesn’t, it’s that the human weakness continues to be the most obvious chink in corporate cyber armor. There is no substitute for continuous training, alerting, reminding, and prompting people to be on their guard. Dymytro, Fedir, and Andrii may be out of circulation, but there are a lot more people willing to find out whether you can resist the temptation to click on that link or open that attachment.


By Tom Davis, SDI Cyber Risk Practice

August 2, 2018

Translate »