Versatile threat actors are the first cybercrime gang to win the ‘FIN’ designation in three years

FIN11 hacking group promoted to financial cybercrime elite

Security researchers have identified a new, highly active financial cybercrime group.

FIN11’s scope is broad: its targets include universities, government agencies, and organizations in the utilities, pharmaceutical, and shipping and logistics sectors, according to a report published today by US cybersecurity firm Mandiant.

Previously, in 2017 and 2018, the group focused on the financial, retail, and restaurant sectors.

Activities associated with FIN11 first came to light in 2016, but Mandiant has now ‘graduated’ the threat actor to ‘FIN’ status, the first financial threat group to earn the designation in three years.

One reason for the group’s promotion is its move into hybrid extortion, “combining ransomware with data theft to pressure their victims into acquiescing to extortion demands”, with ransom demands reaching as high as US$10 million.

What is FIN11?

According to Mandiant, now part of FireEye, FIN11 is behind some of the longest-running and largest malware campaigns researchers have seen.

The cybercrime gang relies primarily on phishing emails to gain a foothold in corporate networks, and is moving into hybrid extortion by distributing CLOP ransomware.

While the group is well known for targeting organizations in North America, Mandiant says that around half of victim organisations listed on the ‘CL0P^_-LEAKS’ website are based in Germany. Organizations in the UK, India, Austria, Spain, and Germany have also been targeted.

Mandiant has found German and Italian language lures being deployed in FIN11 attacks.

RELATED Who is behind APT29? What we know about this nation-state cybercrime group

The firm believes the group is based in the Commonwealth of Independent States (CIS), “based on Russian-language metadata in their files, a significant decline in activity during certain Russian holidays, and the use of tools and services advertised on Russian-language underground forums,” Genevieve Stark, analyst at Mandiant Threat Intelligence, told The Daily Swig.

“The group has also deployed CLOP ransomware, which does not encrypt systems that are configured to use the Russian character set and keyboard layouts used in CIS nations. This technique is often adopted by cyber criminals in CIS nations because the Russian government typically ignores actors that do not target these countries.”

Stark said that Mandiant had no “evidence to suggest that FIN11 provides direct or indirect support to government entities. FIN11 has targeted organizations in a broad range of sectors and regions, only some of which would be of interest to intelligence officials.

“It is however plausible that FIN11 provides government officials monetary compensation or victim data as an incentive to ignore their criminal activity.”

Russian flag in computer code, FIN11FIN11 has been lined to the Commonwealth of Independent States

What are FIN11’s tactics?

Mandiant detected common code families that it believes are exclusive to FIN11: ‘FlawedAmmyy’, ‘FRIENDSPEAK’, and ‘MIXLABEL’. These also overlap with the cybercrime activity set TA505, although the infosec outfit says that not all TA505 attacks are linked to FIN11.

The group uses malicious Microsoft Office files to deliver conventional financial lures including ‘sales order’, ‘bank statement’, and ‘invoice’,
but more recently it has targeted pharmaceutical firms with lures including ‘research report’ and even ‘laboratory accident’. The documents deliver the FRIENDSPEAK downloader, which in turn deploys the MIXLABEL backdoor.

Mandiant researchers warn that FIN11 develops its TTPs rapidly. Most worrying is the move to hybrid extortion, as FIN11 looks to monetize its attacks. Using MIXLABEL and FlawedAmmyy, the group then uses ‘SALTLICK’ to disable Windows Defender and ‘NAILGUN’ to deploy the CLOP malware. At least one organization that was hit by CLOP reports being reinfected after restoring its data from backups.

Read more of the latest security deep dives

“Each FIN group tracked by Mandiant Intelligence employs unique tactics, techniques, and procedures (TTPs) that allow us to track them,” Jeremy Kennelly, analysis manager at Mandiant, told The Daily Swig.

“FIN7, as an example, is a threat group that has historically focused nearly exclusively on the theft of payment card data from US-based retail and hospitality organizations.

“By contrast, FIN11 has targeted organizations much more broadly across both geographies and industries, uses a much broader and more diverse set of malware in their operations, and in more recent operations seem to have been focused on monetizing intrusions via the post-compromise distribution of ransomware.”

How successful is FIN11, and should CISOs worry?

“It is difficult to evaluate FIN11’s success rate because ransomware victims frequently choose not to publicly disclose the compromise or any subsequent ransom payments,” says Genevieve Stark. “However, FIN11 would not have adopted ransomware and data theft extortion as their primary method of monetization if it was not profitable.

“Since 2018, we’ve observed multiple threat groups shift to post-compromise ransomware deployment.

“At the same time, ransom demands have drastically increased,” adds Stark. “In October 2020 they allegedly demanded over $20 million from a German technology company. While we haven't had the opportunity to analyze technical details of these attacks, all of the intrusions involving CLOP that Mandiant has responded to have been attributed to FIN11.”

YOU MIGHT ALSO LIKE Researchers map threat actors’ use of open source offensive security tools

As the global Covid-19 pandemic continues, the attacks are only likely to increase, according to Paolo Passeri, cyber intelligence principal at cloud security provider Netskope.

“I am not surprised that even financially motivated groups are now focusing on double-extortion intrusive ransomware attacks,” he told The Daily Swig.

“Unfortunately the current pandemic situation is facilitating these attacks since the sudden shift to remote working by many organizations has had [the] side effect [of] exposing of unprotected services (like RDP) and misconfigured cloud services [that] attackers are eager to exploit.

“This new discovery by FireEye continues the nefarious legacy of the FIN groups. The fact that a FIN group is now focusing on targeted ransomware attacks is indicative of how much lucrative this business is become for cyber criminals.”

Defending against FIN threats

Elliot Rose, head of cybersecurity at PA Consulting, said the designation of a new FIN group continues a burgeoning trend.

“In 2018, following a number of arrests in the FIN7 case, the threat seemed to continue with a view that the methods had been shared with others and/or the network was much wider than first thought.”

FIN threat groups are distinct from APT groups insofar as they are typically even more sophisticated and demand a different response from security teams.

“They tend to target their victims through social media analysis and associated spear phishing, which has led to serious breaches of information, and they enrol, through fake companies, the innocent in the form of pen testers and developers, to help them in their criminal activities,” explained Rose.

This means that “employee education plays a key part, alongside technology, in combating the threat. That means telling them to be very careful what they post on social media or to avoid clicking on links in emails or disclosing information to anyone that they are not completely certain who they say they are. Think before you click is a key defense!”

The motives of FIN groups are also fundamentally different.

“Nation-state attacks look to disrupt and steal IP, whereas these groups are motivated by financial gain,” explained Rose. “The fact that many are working from CIS emphasises the need for significant levels of international co-operation across law enforcement.”

The report can be accessed via Mandiant’s threat intelligence service.

DON’T FORGET TO READ Cyber scams and ransomware booming amid Covid-19 lockdowns – Europol