A so-called “pen-tester” for the financial cybergang known as FIN7 will spend seven years in the slammer after being convicted for payment-card theft.
According to the Department of Justice, Andrii Kolpakov, a Ukrainian national, was also ordered to pay a tidy $2.5 million in restitution for his crimes.
FIN7 (aka Carbanak Group or Navigator Group) is a well-known threat that’s been circulating since at least 2015. The group typically uses malware-laced phishing attacks against victims in hopes they will be able to infiltrate systems to steal bank-card data and sell it. It has also become well-known for targeting point-of-sale (PoS) systems at casual-dining restaurants, casinos and hotels. Since 2020, it has also added ransomware/data exfiltration attacks to its mix, carefully selecting targets according to revenue using the ZoomInfo service.
As for Kolpakov, he was sentenced on Thursday in the Western District of Washington after pleading guilty last year in June to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.
According to documents filed in the case, he served as a high-level hacker for FIN7, often referred to as a penetration tester by the group – i.e., someone who looks for weaknesses in a target’s security defenses. He also managed other hackers tasked with breaching the security of victims’ computer systems, the DoJ said.
“During the course of the scheme, Kolpakov received compensation for his participation in FIN7, which far exceeded comparable legitimate employment in Ukraine,” according to the announcement. Moreover, FIN7 members, including Kolpakov, were aware of reported arrests of other FIN7 members, but nevertheless continued to attack U.S. businesses.”
He was arrested in Lepe, Spain, back in June 2018 and extradited to the U.S. in June 2019.
FIN7’s Trail of Carnage: $1B in Customer Losses
“Members of FIN7…engaged in a highly sophisticated malware campaign to attack hundreds of U.S. companies, predominantly in the restaurant, gambling and hospitality industries,” according to the DoJ’s announcement on Thursday. “FIN7 hacked into thousands of computer systems and stole millions of customer credit- and debit-card numbers that were then used or sold for profit. FIN7, through its dozens of members, launched waves of malicious cyberattacks on numerous businesses operating in the United States and abroad.”
In fact, in the U.S. alone, FIN7 stole more than 20 million customer card records from more than 6,500 individual PoS terminals at more than 3,600 separate business locations, in all 50 states, according to the DoJ. The total haul in terms of victim losses exceeded $1 billion. High-profile victims include Arby’s, Chili’s, Chipotle Mexican Grill, Jason’s Deli and Red Robin.
The DoJ goes on to describe how FIN7, to gain initial access to a target environment, carefully crafted email messages that “would appear legitimate to a business’s employees, and accompanied emails with telephone calls intended to further legitimize the emails.”
This is a tactic that the group recently took to an extreme, when it was spotted pushing its signature Carbanak remote-access trojan (RAT) malware under the guise of the package being a tool from cybersecurity stalwarts Check Point Software or Forcepoint.
And in May, it surfaced with the Lizar malware, which can harvest all kinds of info from Windows machines. In that case, FIN7 was pretending to be a legitimate organization that hawks Lizar as a Windows pen-testing tool for ethical hackers. They went to great lengths for verisimilitude, researchers said: “These groups hire employees who are not even aware that they are working with real malware or that their employer is a real criminal group.”
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!