How FBI’s global reach took down a cybercrime unicorn
If cybercrime syndicates were talked about like they were startups, the Fin7 hacking group would be considered a billion-dollar unicorn.
Also known as Carbanak, the group has operated on the scale and sophistication level of nation-states since 2014. It’s responsible for the theft of billions of dollars from banks and businesses around the world, leveraging phishing and social engineering to grab bank account and credit card numbers.
“For nearly four years, the Fin7 gang has been the major supplier of stolen payment card data to criminals in the dark web,” said Andrei Barysevich, a director at Boston-based cybersecurity firm Recorded Future. “Such data can then be encoded onto any plastic magstripe card, allowing criminals to make in-person purchases.”
The arrest of three high-ranking members, which was announced by the FBI on Wednesday, is devastating to the group. But the organization, which has operated using many of the same tools that power the world’s tech companies, is so big and resilient that the researchers say it may well endure and continue to profit.
One of the men indicted, Fedir Hladyr, is a 33-year-old computer analyst and administrator from Ukraine. If he wasn’t helping run a criminal enterprise, his resume would look like a run-of-the-mill startup founder.
According to the indictment, Hladyr oversaw employees and handled Fin7’s technical systems. He also ran the group’s private HipChat server, which the organization’s members used to coordinate as they planned intrusions, spread malware and traded stolen data.
Hladyr also administered the group’s private Jira instance. The project management software, used everywhere from startups to bigger tech companies like eBay and Spotify, helps track software development and IT issues.
It turns out Jira works just as well in a criminal enterprise as it does in a traditional one. Fin7’s members used Jira for a host of reasons: monitoring projects based on targeted companies, tracking issues where they shared details based on the intrusion, and other related info on targets and stolen data.
Fin7’s criminal success is further powered by custom code and social engineering. Not only did they build their own malware and send it to targets, the group often followed up with phone calls to walk the recipient through clicking the malicious links or attachments in order to complete the infection.
A global effort
While the indictments shed some light on how organized cybercrime has become, it also shows how international cooperation is increasingly leveraged by law enforcement.
Elvis Chan, who runs the FBI’s San Francisco-based Eurasian cyber threats taskforce, has made efforts to lay deep roots in Europe in order to navigate a cyber landscape where the line is increasingly blurred between criminals and spies.
“We are putting attorneys on the ground to help craft cyber legislation,” Chan said. “We put technical folk on the ground to help relatively young countries in Eastern Europe stand up their own capabilities. American agents, analysts and computer scientists provide training and liaise with countries across Europe from Romania and Estonia to Ukraine itself.”
The FBI deploys legal attachés to 12 countries, with a portion stationed in Eastern Europe. First developed after the Sept. 11 attacks and initially focused on counter-terrorism, the program is now largely focused on on cybersecurity.
Operating as the face of the FBI in a host country, attachés work with the host government and security agencies on investigations like that which brought down FIN7.
The map below shows where the legal attachés are located across the world.
The number of attachés is expanding, including locations in the Middle East and South America.
Transatlantic partnerships like the attaché program are intensifying as criminal and nation-backed hacking outfits show no sign of disappearing in former Soviet states. Russian education values technical skills, so ex-Soviet nations have talent in spades, but rarely have the economy to support it.
“There are a lot of highly educated, technical people and not a lot of jobs,” Chan said. “To try to make a living, many go into criminal hacking.”
These partnerships are paying off. The multimillion dollar dark web marketplace AlphaBay was shut down thanks to a global operation arresting suspects and seizing hardware in North America, Europe and Asia.
Yet even with the attaché program, law enforcement is limited in the actions it can take. Hackers like Alexey Belan and Evgeniy Bogachev sit near the top of the FBI’s most wanted list, but are protected by a Russian government that has refused to cooperate with western law enforcement.
Even when accused Russian hackers are extradited to the U.S., like in the case of alleged LinkedIn hacker Yeveginy Nikulin, there’s been a marked increase in hostility from the Russian government.
Even Nikulin’s lawyers say Russian officials have been attempting to intimidate them, while Nikulin himself refuses to speak to anyone.
“I think it’s because the relationship with Russia is getting worse,” Nikulin’s lawyer, Arkady Bukh, said. “It’s constant cyberwar and poisoned relationship.”
Unaware of a secret international arrest warrant, Hladyr took his wife and daughter on a vacation to Germany in early 2018. He was subsequently arrested and hastily extradited to the U.S. to face 26 felony charges for work with FIN7.
Now, Hladyr is sitting in a Washington state federal prison waiting for a trial that may never come. The Justice Department is aiming for an October 22 start date but Hladyr’s lawyer — he’s also represented by Arkady Bukh — says the defense team is waist-deep sorting through four terabytes of evidence with Hladyr’s expert help.
By the end of it, Hladyr might end up looking for a plea deal in exchange for a lighter sentence. A deal could involve Hladyr giving up more information on what remains of the cybercrime unicorn.
“He’s of strong mind,” Bukh said. “But we don’t know what’s coming next.”