The United States Department of Justice has unsealed indictments against three high-ranking members of an international hacking group. Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, are all Ukrainian nationals and members of the FIN7 hacking group. Hladyr is currently in jail in Seattle having been extradited from Germany. The US is currently seeking the extradition of Kolpakov and Fedorov from Spain and Poland respectively.
Assistant Attorney General Benczkowski unveiled the indictments saying: “The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet.
“Because hackers are committed to finding new ways to harm the American public and our economy, the Department of Justice remains steadfast in its commitment to working with our law enforcement partners to identify, interdict, and prosecute those responsible for these threats.”
Each of the three FIN7 conspirators is charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.
An international success
This is just the latest phase in a long running case against the FIN7 gang. In January 2018, the US asked German police in Dresden to arrest Hladyr. He is reported to be the FIN7 systems administrator who controlled all the servers and communication between gang members. Germany quickly extradited him to Seattle where he remains in jail.
Fedorov was also arrested in January. His arrest took place in Poland where he is still in jail. His role was supervising the other hackers used by FIN7 to gain access to banks and other companies.
The last of these three arrests occurred in late June when Kolpakov was arrested in Lepe, Spain. Like Fedorov, Kolpakov is alleged to have supervised hackers used by the FIN7 team.
International cooperation to take down cyber criminals is becoming more commonplace. Hacking groups and their infrastructure have been subjected to a number of different campaigns over the last three years. It has led to numerous arrests, charges and the disruption of hacking campaigns.
How did FIN7 work?
The charges against these three are extensive. They not only wrote and distributed their own malware, but they also used a highly customised version of the Carbanak banking malware. The US Department of Justice has detailed how FIN7 worked.
In brief:
Phishing emails with infected Word docs were sent to targets
- The Word docs would pretend to be legitimate business emails but when they were opened, malware was installed on the target computer
- To increase the chance of the email being opened, FIN7 would make a phone call to the victim. This alerted them that an email had been sent and increased the chance of it being opened.
- Malware ranging from surveillance software to banking malware which were installed on victims machines which were also controlled by FIN7.
- FIN7 used the infected machines to launch attacks against other computers.
- Stolen data, such as credit and banking card details were sold in online underground marketplaces.
- FIN7 created a front company to hide its activities. Combi Security was purportedly headquartered in Russia and Israel. It claimed to offer penetration testing and other cyber security services. This allowed it to gain information about potential new clients and to access the systems of it victims.
Did this lead to the arrest of Carbanak leader?
Back in March, Spanish police arrested Denis K in Alicante. He is alleged to be the leader of the Carbanak hacking group. His arrest also lead to the arrest of several other Ukrainian and Russian hackers. Spanish police also recovered a large sum of money and significant amounts of intelligence. That data was all stored on computers which have been subjected to extensive forensic examination.
Given the timeline that is now unfolding, it is likely that intelligence gathered from Hladyr in particular, may have led to the arrest of Denis K. As Hladyr was the FIN7 administration and communications controller he would likely have had contact with Denis K. Whether the Carbanak group or FIN7 carried out the modifications to the banking malware is still unclear.
What is important is to watch who else gets arrested in the next few months. The intelligence and computers seized from FIN7 and the Carbanak group will yield a lot of intelligence. The cyber security community will hope it also leads to a lot of arrests.
The Spanish Police, in particular, will want access to all the intelligence. Spain is one of several countries that appears to be a hide-out for criminals on the run. Over the last year, Spanish police have been involved in the arrests of a lot of senior hacking figures. Some of those, in addition to Denis K and soon Kolpakov, have led to extradition to the US.
One such case is Pyotr Levashov who ran the Kelihos botnet. He was arrested and sent to the US in February 2018.
What does this mean
International cooperation to combat cybercrime continues to deliver results. The intelligence gathered from each operation is feeding into the next. Many of those arrested are Ukrainian and Russian hackers. This is increasing the tension between Russia and the US. The case of Yevgeniy Nikulin who was arrested in 2016 and charged with hacking into LinkedIn and Dropbox is a case in point. Russia claims that many of these citizens should be tried in Russia first.
The arrests and charges against the leaders of FIN7 is good news. It sees another large scale and successful hacking group taken down. Unfortunately, this is a game of Whack-a-mole. Knock one group down and another soon pops up. Let’s hope this time, the intelligence brings down more groups before they can fill the void.