A manager and system administrator of the hacking group FIN7 (aka Carbanak) has been sentenced to 10 years in prison for his role in cybercrimes costing firms and consumers billions. Three other FIN7 members are also facing trial.
The Case Against the FIN7 Group
Ukrainian national Fedir Oleksiyovich Hladyr was arrested on 18 January in Dresden, Germany, for finance-based cybercrimes. He was then extradited to the US to face trial. He is one of four FIN7 members, all Ukrainian nationals, that were arrested in 2018 and extradited to the US. Fellow FIN7 hacker Andrii Kolpokov will be sentenced in June this year and faces 25 years in prison. The cases against the other two members, Denys Iarmak and Dmytro Fedorov, are continuing. They are expected to last until 2022.
According to prosecutors, in the US alone, FIN7 stole more than 20 million customer credit and debit card records. The records were taken from over 6,500 individual point-of-sale (PoS) terminals belonging to more than 3,600 separate businesses. According to a statement released by the US Department of Justice, the group caused losses estimated to over $1 billion. Victims included consumers, banks, merchants and credit card companies located in all 50 US states and the District of Columbia. The group also targeted computer networks in Australia, the UK and France.
The initial compromise of companies’ systems was conducted via spear phishing emails and scam calls. The phishing campaigns mainly targeted restaurants, gambling institutions and other hospitality firms. They also caused bank ATMs to dispense cash. The emails contained attachments that, once opened, triggered an adapted version of the group’s Carbanak malware. The malware was used to steal payment card data, which was then either exploited by FIN7 or sold on the dark web.
“FIN7 carefully crafted email messages that would appear legitimate to a business’ employee, and accompanied emails with telephone calls intended to further legitimize the email,” prosecutors said.
Fedir Hladyr, 35, was one of the leaders of the FIN7 hacking group and acted as the group’s systems administrator. Hladyr apparently joined the group accidently when he applied for a job at the information security company, Combi Security. Combi Security was setup around 2015 by the FIN7 group as a front for their activities. The group is said to number around 70 individuals that are organized into separate business units and teams. Some teams are engaged in developing malware and others in hands-on hacking. Yet another team is involved in crafting the spear phishing emails that fool victims into clicking the malicious links.
Although Hladyr soon realized that Combi Security was not a legitimate business, he continued to work for the group. As well as systems administration, his role was to aggregate stolen card information. Fellow group members Fedor, Iarmak and Kolpakov allegedly acted as network penetration testers and provided Hladyr information about hacking victims.
Hladyr also supervised FIN7 hackers, maintained the group’s command-and-control (C2) servers and managed encrypted communications. Acting US Attorney Tessa M. Gorman of the Western District of Washington stated: “This defendant worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.”
Hladyr pleaded guilty in September 2019 to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking. He originally faced 26 criminal counts. However, these charges were reduced once he agreed to plead guilty and pay $2.5 million in restitution.
On Friday 16 April, Hladyr was sentenced in Seattle to 10 years in prison in the US for his cybercrimes. The 10-year sentence includes the 3 years Hladyr has already spent in custody awaiting trial. The judge handed down the lengthy sentence as a deterrent to other cybercriminals, saying they “must understand that, once caught, the punishment will be significant”.
Acting assistant attorney general Nicholas McQuaid of the Justice Department’s Criminal Division also stated: “Protecting businesses — both large and small — online is a top priority for the Department of Justice. The department is committed to working with our international partners to hold such cyber-criminals accountable, no matter where they reside or how anonymous they think they are.” German law enforcement provided the US with significant assistance in arresting Hladyr.
During his sentencing hearing, Hladyr told the court: “I have ruined years of my life and put [my] family through great risk and struggle.”
FIN7’s Operations Continue
Despite the arrests of the four FIN7 hacking group members, experts believe that the group will continue its criminal operations.
Furthermore, in December last year the security vendor Truesec found a connection between FIN7 and the Ryuk ransomware group. Truesec’s findings suggest that the two cybercriminal groups may be collaborating.