A newly identified hacking group is responsible for breaking into multiple Canadian casinos and mining companies in recent years, exfiltrating sensitive data, posting it online and using media to gain attention to extort victims, according to research conducted by FireEye.
Dubbed “FIN10,” the group’s techniques aren’t considered unique or sophisticated. FIN10 has relied on a suite of mostly open source tools and phishing emails to effectively compromise a targeted company, move laterally across their network and gain administrator-level access in order to steal information. After an intrusion, the group will typically seek out breach victims, like company executives and employees, to make their demands heard; threatening to leak sensitive material if they aren’t paid.
What sets FIN10 apart from other cyber threat actors is how they behave after stealing sensitive information, which includes reaching out to specific cybersecurity-focused reporters to cover their theft, thereby putting pressure on extortion targets.
The practice of using media to highlight a breach is not unique to FIN10.
“Mandiant is aware of multiple security bloggers and journalists that FIN10 attempted to communicate with. In some situations, FIN10 communicated with the journalists under the identity of the threat actor. In other situations, FIN10 communicated with the media purporting to be a victim of the compromise. FIN10 created email accounts mimicking real victim names that were released in the data dumps,” said Charles Carmakal, vice president of Mandiant, a FireEye company. “Out of respect to the media, we are unable to share the names of the journalists.”
CyberScoop was able to independently confirm that FIN10 reached out to at least one cybersecurity-focused news outlet, databreaches.net, in the past. In that incident, the hackers used another moniker identified by FireEye,”Angels_of_Truth,” to speak with a reporter.
Researchers were able to uncover several instances in which FIN10 stole confidential data, used an open repository like PasteBin, and sent the victims emails demanding payments ranging from approximately $100,000 to $600,000 worth of Bitcoin, the world’s leading cryptocurrency.
Sites like pastebin.com, justpaste.it, thepiratebay.org, and mega.com were used by FIN10 to host stolen data, Carmakal told CyberScoop.
Notably, the group is also known to “false flag,” using basic translator software to convert their messages from English to Russian, researchers say. In one case, the group used the name of a well-known Serbian hacktivist group, “Tesla Team,” when communicating with a victim. Based on language patterns, it appears as if the hackers are native English speakers and are familiar with North America.
“All of the currently known FIN10 victims are Canadian casinos and mining organizations,” said Carmakal. “One of the personas that FIN10 took on purported to be a Russian hacktivist organization. In reading their communications, it was clear that they were not native Russian speakers. Based on the language translation mistakes, we believe they used software to convert English to Russian.”
FireEye continues to track FIN10 and recommends that other companies in the energy extraction and gaming sectors should be aware of the group’s techniques, tactics and procedures.
The last known breach conducted by FIN10 occurred in 2016.