Threat Watch

Another Member of FIN7 Arrested and Extradited to the US

Court documents unsealed this week revealed that a fourth member of the cyber-criminal gang known as FIN7 was arrested in Thailand and extradited to Seattle to face justice in the United States last week. Denys Iarmak, also known by his alias “GakTus,” is alleged to have been a hacker who participated in the compromise of computers used to operate point-of-sale cash registers at hotels, restaurants and other businesses across the United States. The criminal group coordinated their efforts to steal millions of payment card records, and then profited by selling access to the details needed to make clones of the credit cards on underground marketplaces including “Joker’s Stash,” one of the largest so-called “carding shops” on the Internet. Nearly all of FIN7’s computer intrusions used phishing email messages and phone calls to convince employees of targeted companies to open a document or spreadsheet file, which would install malware. At the time that each malicious document was sent, the malware was deliberately altered so that it would not be detected by any anti-virus program. The unsealed indictment alleges that Iarmak was responsible for making sure the malware was undetectable by anti-virus, along with sending phishing emails and other tasks. Iarmak joins fellow FIN7 conspirators Fedir Hladyr, Dmytro Fedorov and Andrii Kolpakov in the US criminal justice system. According to the indictment, however, there are still more members of the criminal group who are being investigated and remain very active in targeting US companies.

ANALYST NOTES

Because it is common for well-funded and technologically advanced threat groups such as FIN7 to evade detection by anti-virus products, it is important to include more robust security controls as part of a defense-in-depth strategy. Employee education to recognize phishing is important, but eventually the attackers will find the right message to convince at least one employee to open a document or click on a link. At that point, the only effective defense is detection of unusual behaviors on the employee’s workstation that indicate an attacker has remote control of that computer. Endpoint Detection and Response (EDR) tools, coupled with alert security analysts, have been extremely effective at detecting FIN7 and other threat groups in the early stages of their attacks and putting a quick stop to intrusions before they have a chance to do damage.

For more information, please see the criminal indictment and motion to redact: https://www.documentcloud.org/documents/6928022-Iarmak-Motion-to-Redact.html