'Prolific' Hackers Infiltrated 100 U.S. Targets, Posed as Russian Front: DoJ

An Eastern European hacking group that infiltrated the computer networks of businesses across America used a front company to help recruit new talent, the Department of Justice (DoJ) said Wednesday. Three high-ranking members are now in custody, it revealed.

The hackers—allegedly part of the notorious FIN7 team—used a front company known as Combi Security, which they claimed was headquartered in Russia and Israel, to "provide a guise of legitimacy and to recruit hackers to join the criminal enterprise," the DoJ stated. Their sham website, advertising penetration-testing job roles, even listed U.S. hacking victims as "clients."

Independent analysis found the fake security company listed job ads on Russian, Ukrainian and Uzbek recruitment websites. And some applicants may not have known of their illicit schemes.

Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, who were named in indictments this week, are described as "high-ranking members" of FIN7. The criminal unit—facing charges in a U.S. District Court in Seattle—is also known as the Carbanak Group. It is alleged that the gang stole more than 15 million card records from thousands of business locations.

Hackers believed to be part of the notorious FIN7 team used a front company known as Combi Security to recruit talent, the U.S. Department of Justice says. iStock

Victimized companies that had point-of-sale terminals hacked included Chipotle Mexican Grill, Chili's, Arby's and Red Robin, officials said. The pilfered details were eventually sold on the dark web.

The hacking group is believed to have dozens of members. According to the indictments, the gang's members used phishing emails to dupe staffers at companies in 47 U.S. states. As part of the scheme, they would make telephone calls to legitimize the ruse. Once an attachment was opened, a form of malware also known as Carbanak would be installed. Security experts say the team also targeted government and telecommunications companies.

"The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise," said Jay Tabb, a special agent in charge at the FBI's Seattle Field Office.

Each of the suspected FIN7 members is now charged with 26 felony counts alleging crimes including wire fraud, computer hacking, access device fraud and aggravated identity theft.

Hladyr and Fedorov were arrested in January 2018 at the request of U.S. officials.

The alleged systems administrator, Hladyr, was arrested in Dresden, Germany, and is being detained in Seattle pending trial. Fedorov, a "high-level hacker," was arrested in Poland and is now facing extradition to America. Kolpakov, a "supervisor," was picked up in late June 2018 and remains detained in Spain, pending the United States's request for extradition.

Will It Stop the Hacking?

According to FireEye, a cybersecurity company, Carbanak malware has been active since at least 2013. Analysis suggests that FIN7 has used it since late 2015, FireEye said in a report Wednesday.

"While the recruitment of unwitting individuals as puppets has been a common component of some criminal schemes–reshipping mules who are recruited through postings on career sites advertising attractive work-from-home jobs–FIN7's veiling of full-scale financial compromises as legitimate offensive security engagements is particularly notable," researchers wrote.

"The apparent success of Combi Security in recruiting unsuspecting individuals in this manner may lead to more of this type of technical recruitment by cybercriminals in the future," the report said.

FireEye suggested the arrests by U.S. law enforcement may not deter other members. It said that new tools may be used, or the collective could instead fork out into multiple subgroups. "A portion of these malicious actors are likely to continue conducting cybercrime," experts warned.