Cybercriminals targeting casinos and mining firms in North America have extorted as much as $620,000 per theft during a four-year run in which they threaten victims with the destruction or public release of stolen data.
Between 2013 and 2016, mostly Canadian firms were hit with nearly a dozen seemingly unrelated hacks, but after an analysis of the attacks, researchers at FireEye concluded similarities between the tactics, techniques and procedures used indicated the crimes were committed by one threat actor. FireEye calls the group FIN10, shorthand for tenth financially motivated attacker the researchers have identified.
“We believe the primary goal of this threat group is to steal corporate business data, files, records, correspondence and customer PII, and then to extort victim organizations for non-release of the stolen data,” wrote FireEye in its report released last week titled “FIN10: Anatomy of a Cyber Extortion Operation.”
The typical dollar amount demanded from victims has been $124,000 to $620,000, and payments must be made in Bitcoin. FIN10 uses spear phishing to compromise victims, leveraging the targets’ use of social media accounts, such as LinkedIn.
“In one intrusion, the phishing email referenced an updated holiday schedule for organizational staff. The embedded URL pointed to a malicious HTML Application (HTA) file,” wrote FireEye. “In another intrusion, a phishing email referenced an employee questionnaire. The embedded URL pointed to a Word Open XML Macro-Enabled Document file (DOCM) file.”
Of note, FIN10 does not rely on exploit kits. Instead, the group uses publicly available software, scripts and known techniques to penetrate into company networks.
“Where the initial compromise was identified, the attacker(s) used social engineering and specifically crafted lures to entice victims to click on a link that directed them to a FIN10-controlled server. The server hosted malicious artifacts that ultimately executed code on one or more systems. In these instances, the malicious code were downloaders that beaconed out to attacker controlled infrastructure,” according to the report.
Once a foothold is established, the attackers use fileless malware, leveraging tools such as Meterpreter and PowerShell to deliver the payload.
“Threat actors often use PowerShell to write their own malicious utilities, which typically decrease chance of detection by popular endpoint security controls,” FireEye wrote. Once in, FIN10 uses malware to exploit holes in Windows Remote Desktop Protocol for lateral network movements.
With access to the target’s network secured, adversaries steal data and plant malware with destructive data scripts that later allow criminals to delete or disrupt the victim’s computers and network as needed, according to researchers.
Cybercriminals then post proof of stolen data on publicly accessible websites and demand targets pay a fee. Failure to pay could result in the public release of stolen data and potential disruption or destruction of the victim’s data and systems, researchers said.
Researchers can’t say for sure where attackers are located. However, what FireEye can verify are a number of false flags designed to make it appear as if attackers were of Russian origin.
“In at least one intrusion self-identified as the ‘Angels_Of_Truth,’ and claimed the attacks on the victim were in reciprocity for Canada-imposed economic sanctions on Russia. The quality of the Russian-language posts, however, was considerably poor and very similar to output obtained from online translating solutions, making it likely the attacker(s) are not native Russian speakers and were using this narrative to mislead attribution attempts,” FireEye said.