Malware from notorious FIN7 group is being delivered by snail mail

Not all suspicious USB sticks are a test.

While hackers all over the world rely on emails and text messages to breach networks, one infamous criminal group appears to be turning to the mailman to deliver their malicious code.

Malware authored by FIN7, which researchers say has stolen over $1 billion in recent years, has been delivered by the U.S. Postal Service to multiple organizations in recent months, according to security company FireEye.

The code comes on USB sticks that, once inserted into a computer, install a “backdoor” known as Griffon that can lead to the theft of sensitive data. The malicious code, which multiple security companies have attributed to FIN7, burrows into the target computer and beacons back to the group for further instructions. How many of the USB deliveries led to network breaches remains unclear. FireEye said its investigation is ongoing.

The hacking attempts raise questions about how a group thought to be based in Eastern Europe, and one that U.S. officials have hunted for years, has been able to get their malware hand-delivered to American organizations.


FIN7 may be using a “middleman or unwitting mule in the U.S.,” though concrete evidence remains elusive, said Barry Vengerik, technical director at FireEye.

In one case, someone shipped FIN7 malware to a large company in the U.S. hospitality sector with a gift card from Best Buy. An English-language letter dated Feb. 12 claiming to be from a Best Buy customer relations executive contained the malicious USB device. Cybersecurity company Trustwave said one of its clients spotted the suspicious device and didn’t plug it in.

The FBI field office in Seattle on Thursday tweeted a warning about malicious USB sticks arriving by mail.

It is just the latest social engineering trick from a hacking group that has haunted hotels and retailers for years. U.S. prosecutors caught FIN7’s IT administrator,  who pleaded guilty in September, though the hacking has continued. The group is so well-drilled that some researchers consider it on par with an “advanced persistent threat,” or state-sponsored group. They’re also meticulous to the point of calling victims before and after they send a phishing email to get them to click on it.


“In the past, we saw FIN7 exchanging dozens of emails with their victims before sending the malicious payloads,” said Félix Aimé, senior security researcher at anti-virus company Kaspersky.  “These new campaigns leveraging physical devices are the direct continuation of their highly sophisticated social engineering campaigns.”

The delivery of a USB stick is a popular tactic among “red teams” and penetration testers — cybersecurity professionals hired to assess an organization’s security. But it appears to be less common among malicious hackers.

FIN7, however, has been known to run at least one fake cybersecurity company that employs translators and penetration testers who may not realize they’re working for criminals. Sometimes the strange appearance of a USB stick isn’t a test.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts