Fin7 sysadmin pleads guilty to running IT for billion-dollar crime syndicate – Naked Security

[ad_1]

A Fin7 sysadmin has pled guilty – the first higher-up to be found guilty of hacking in a US court.

The long back story begins like this: Once upon a time, there was a cybercrime wolf syndicate who pulled on the sheepskin of a penetration testing company, calling itself Combi Security and offering absolutely zero services or protection… but lots of penetration.

We know it better as Fin7, also known as Carbanak Group or Navigator Group, among many other names. Starting in at least 2015, the notorious cybercrime network carried out a highly sophisticated malware campaign targeting more than 100 US companies. Those companies included big retailers like Lord & Taylor and Saks Fifth Avenue but were predominantly in the restaurant, gaming, and hospitality industries: all victims of Fin7’s hacking into thousands of computer systems and theft of millions of customer credit and debit card numbers.

The Feds arrested three high-ranking members of Fin7 in August 2018. All were Ukrainian nationals. And on Wednesday, one of those three – Fedir Oleksiyovich Hladyr – pled guilty to being the sysadmin who ran the group’s IT operations.

Each of those three had been charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft. But in the plea agreement filed in the US District Court for the Western District of Washington in Seattle on Wednesday, prosecutors dropped it down to just two charges: conspiracy to commit wire fraud, and conspiracy to commit computer hacking. All together, Hladyr’s looking at a prison sentence of no more than 25 years, plus fines of up to half a million dollars.

This makes Hladyr the first member of Fin7 to be found guilty of hacking-related crimes in a US court.

Same old admin duties, but for crooks

Fin7 employs dozens of computer experts in multiple countries, as the plea agreement describes. And in August 2015, it hired Hladyr to be a systems administrator.

He thought he was hired by a legitimate computer security outfit called Combi Security: one that supposedly provided pen-testing services to a variety of companies around the world. On its public website, Combi presented itself as “one of the leading international companies in the field of information security.”

Nothing could have been further from the truth. Hladyr soon figured out that he’d been hired by a cybercriminal network that carried out attacks primarily through phishing emails and social engineering to encourage victims to click on malware sent as attachments in boobytrapped emails.

That malware connected compromised computers to a network of command and control (C&C) servers located around the world. Through that network, Fin7 uploaded additional malware onto victim computers, conducted surveillance, and maintained remote control.

Fin7 uses these breached computers to move laterally through networks, locating sensitive financial information such as payment card data that it can steal and sell. The syndicate also seeks out point-of-sale (POS) systems, through which it can remotely upload malware onto POS terminals used to process payment card transactions at thousands of retail and commercial locations across the US.

He didn’t know all this at first, but it didn’t take Hladyr long to find out that Combi wasn’t legit. One of his duties was to provide dozens of Fin7 members with access to communication and C&C servers, including Jabber, JIRA, HipChat, and custom botnet control panel servers, among many others.

No, Combi wasn’t legit. It was a front company for Fin7 – an organization trying to, and succeeding at, breaching network security of victim companies.

How do you know when a pen-testing company isn’t really a pen-testing company? As the plea agreement outlines, at no time did Hladyr come across…

  • Contracts for Combi to perform pen-testing for clients.
  • Reports or recommendations from Combi to its purported clients explaining what vulnerabilities had been discovered in their network security and how they might be fixed.
  • Any measures taken to safeguard “clients” from misuse of confidential information taken from their networks, such as network credentials, network maps, and sensitive business information.

Hladyr rose through the ranks quickly, taking on ever more responsibility. He became responsible for aggregating stolen payment card information, providing technical guidance to Fin7 members, issuing assignments to Fin7 hackers, and supervising teams of hackers. He’d also routinely relay orders from the head honchos to the group’s underlings.