A court in the United States yesterday sentenced a Ukrainian national to a five-year prison sentence for his role in a decade-long global cyber crime spree that stole more than 20 million customer card records and netted more than $1bn in proceeds.
Denys Iarnak, aged 32, acted as a penetration tester on behalf of the FIN7 cyber crime nexus, which is also tracked as Carbon Spider and Gold Niagara. The Russia-based group has latterly been associated with the use of REvil and Darkside ransomware.
He was arrested in Thailand in 2019 and subsequently extradited to the US to stand trial, and pleaded guilty last November to one charge of wire fraud and one charge of conspiracy to commit computer hacking. Two other members of the collective, who were arrested in 2018, have already been jailed for similar offences.
“Iarmak and his conspirators compromised millions of financial accounts, causing over a billion dollars in losses to Americans and costs to America’s economy,” said assistant attorney general Kenneth Polite of the Department of Justice’s Criminal Division.
“Protecting businesses – both large and small – online is a top priority for the Department of Justice. We are committed to working with our international partners to hold such cyber criminals accountable, no matter where they live or how anonymous they think they are.”
US attorney Nicholas Brown of the Western District of Washington, which handled the prosecution, added: “Iarmak was directly involved in designing phishing emails embedded with malware, intruding on victim networks, and extracting data such as payment card information.
“To make matters worse, he continued his work with the FIN7 criminal enterprise even after the arrests and prosecution of co-conspirators. He and others in this cyber crime group used hacking techniques to essentially rob thousands of locations of multiple restaurant chains at once, from the comfort and safety of their keyboards in distant countries.”
The court heard how FIN7 accessed the networks of businesses across the US, UK, Australia and France, stealing records from over 6,500 point of sale terminals at over 3,600 locations. Known victims in the US include restaurant chains such as Chipotle and Panera, and retailers Saks Fifth Avenue and Lord & Taylor.
It generally favoured businesses in the hospitality sector, which it targeted with tailored phishing emails, following up by placing telephone calls to its intended victims, lending additional legitimacy to its lures.
Once its targets had been convinced to open and execute the file attached to the email, FIN7 used an adapted version of the Carbanak malware and other tools to access and steal customer payment card data. Much of this data subsequently appeared for sale on the dark web.
Note that the group has been tracked as Carbanak by some researchers, but since other cyber crime groups are known to use Carbanak, it may not be strictly accurate to refer to FIN7 by this name.
Iarmak became involved with the group some time around November 2016 and worked for it over a two year period. He specialised in using the legitimate Jira project management software package, which FIN7 hosted on various private virtual servers, to coordinate the gang’s activities and manage its network intrusions.
The authorities believe he received substantial compensation for his work for FIN7, the value of which allegedly “far exceeded comparable legitimate employment in Ukraine”.
Still highly active
Despite the arrests and convictions of key members of FIN7, the group remains active, and continues to evolve its tactics, techniques and procedures.
Earlier in April, researchers at Mandiant, who have been instrumental in tracking FIN7, released new intelligence detailing the group’s latest activities.
Recently it has enthusiastically turned to supply chain compromise as a means to gain access to its intended a victims; last year, Mandiant revealed, FIN7 compromised an online retailer of digital products and modified multiple download links to direct to an Amazon S3 bucket hosting trojanised versions containing an agent installer that was used to deploy a new backdoor called Powerplant.
Mandiant said Powerplant’s framework allows for a “vast” breadth of capabilities, depending on which modules are delivered from the command and control (C2) server, and is thus highly dangerous.