Security firm FireEye released a new report today describing the activities and techniques used by a hacker group it identifies as FIN10 that has been exploiting mining companies and casinos.
According to FireEye’s analysis, FIN10 has been active from at least 2013 through 2016 and does not rely on zero-day vulnerabilities, but rather publicly available software and techniques, to exploit victims. FireEye declined to provide eWEEK with metrics on the number of victims exploited by FIN10 or the total financial impact, although it indicated where all of the victims were geographically located.
“All of the known compromised organizations are based in Canada,” Charles Carmakal, vice president with FireEye’s Mandiant cyber-security consulting group, told eWEEK.
After infiltrating an organization, FIN10 steals data and then threatens the victims that the data will be publicly released or that IT systems will be disrupted. FIN10 demanded different amounts from the victims, ranging from 100 to 500 Bitcoins, or approximately $124,000 to $620,000.
Though FIN10 is stealing data, it is not a ransomware operation, according to FireEye. With ransomware, a victim’s data is encrypted by the attacker and then held for ‘ransom’ until a payment is made.
“We have not observed FIN10 encrypting victims’ data in the past,” Carmakal said.
Carmakal said that FIN10 is a financially motivated threat actor that extorts businesses for money. FIN10 steals sensitive data from victims, engages executives and board members, and threatens to publish the stolen data if money is not paid.
“They escalate their attack by destroying systems and engaging with journalists to maximize exposure of the breach in an attempt to coerce the victims to pay,” Carmakal said.
As to why FIN10 specifically attacked Casinos and mining companies, FireEye has not determined a a clear motive. What is clear however is that FIN10 is not using any custom hacking tools or zero-day malware to achieve its objectives.
“We have only seen FIN10 use publicly available security tools like Metasploit, PowerShell Empire, and Splinter RAT (Remote Access Trojan),” Carmakal said.
Metasploit is a popular open-source penetration testing framework that is used by security researchers to test organizations for resilience against threats. Part of the Metasploit framework is the meterpreter payload delivery tool which is what the FIN10 attackers were using to infect the victimized organizations. PowerShell Empire is an open-source, post-exploitation tool that is used by attackers to execute commands on a system after it has been infiltrated.
Attribution for the FIN10 attacks is a somewhat complicated matter. Carmakal said that FireEye does not know where FIN10 is based, but strongly suspects that the individual writing the communications to victims and the public is a native English speaker. FireEye’s research and analysis has shown that FIN10 is known to throw false flags and has purported to be from Russia and Serbia.
“One of the personas that FIN10 took on purported to be a Russian hacktivist organization,” Carmakal said. “In reading their communications, it was clear that they were not native Russian speakers.”
“We believe they used translation software to convert English to Russian,” he added.
Defending Against FIN10
“While FIN10 appears to have less technical capability than other financially motivated threat actors that we typically investigate, they have proven to be very effective in compromising several organizations’ networks and achieving their objectives,” Carmakal said.
There are several pro-active technologies that Carmakal recommends organizations deploy to limit the risk of being exploited by a hacking group like FIN10.
“While there is no silver bullet in security, we believe organizations can help combat FIN10 by leveraging email threat prevention solutions to identify and block phishing campaigns and use endpoint detection and response (EDR) solutions to identify and block the tools and back doors that FIN10 deploys on endpoints,” he said.