# Fin7 hacking group targets more than 130 companies after leaders’ arrest

**[kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest](https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest)**

May 26, 2021

**According to the company’s experts, Fin7 might have extended the number of groups**
**operating under its umbrella; increased the sophistication of its methods; and even**
**positioned itself as a legitimate security vendor to recruit professional employees and**
**dupe them into helping it steal financial assets.**

Fin7 is believed to be behind attacks targeting the U.S. retail, restaurant, and hospitality
sectors since mid-2015, working in close collaboration and sharing tools and methods with
the infamous [Carbanak group. While Carbanak focused primarily on banks, Fin7 targeted](https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/)
mostly businesses, potentially making off with millions of dollars in financial assets, such as
payment card credentials or account information on the computers of financial departments.
Once the threat actors got what they needed, they wired money to offshore accounts.

According to Kaspersky Lab’s new investigation, the group has continued its activity - despite
the arrest last year of alleged group leaders - implementing sophisticated spear-phishing
campaigns throughout 2018 and distributing malware to each target through specially
tailored emails. In different cases, the operators exchanged messages with their intended
victims over a period of weeks before finally sending the malicious documents as
attachments. Kaspersky Lab estimates that by the end of 2018, more than 130 companies
might have been targeted in this way.


-----

The researchers also discovered other criminal teams operating under the Fin7 umbrella.
The use of shared infrastructure and the same tactics techniques and procedures (TTPs),
shows that Fin7 is likely to be collaborating with the AveMaria botnet and groups known as
CobaltGoblin/EmpireMonkey, believed to be behind bank robberies in Europe and Central
America.

Kaspersky Lab also found that Fin7 has created a fake company that claims to be a
legitimate cybersecurity vendor with offices across Russia. The company website is
registered to the server that Fin7 uses as a Command and Control center (C&C). The fake
business has been used to recruit unsuspecting freelance vulnerability researchers, program
developers and interpreters through legitimate online job sites. It seems that some of the
individuals working in these fake companies did not suspect that they were involved in a
cybercrime business, with many including the experience of working in the organizations in
their CVs.

_“Modern cyberthreats can be compared to the mythical creature Hydra of Lerna – you cut off_
_one of its heads and it grows two new ones. Therefore, the best way to protect yourself from_
_such actors is to implement advanced, multi-layered protection: install all software patches_
_as soon as they are released and do regular security analysis across all networks, systems_
_and devices,” said Yury Namestnikov, security researcher at Kaspersky Lab._

To reduce the risk of infection, users are advised to:

Use security solutions with dedicated functionality aimed at detecting and blocking
phishing attempts. Businesses can protect their on-premise email systems with
[targeted applications inside the Kaspersky Endpoint Security for BusinessKaspersky](https://www.kaspersky.com/small-to-medium-business-security/endpoint-advanced)
Security for Microsoft Office 365 helps to protect the cloud-based mail service
Exchange Online inside the Microsoft Office 365 suite.
Introduce security awareness training and teach practical skills. Programs such as
[Kaspersky Automated Security Awareness Platform will help to reinforce skills and](https://www.kaspersky.com/small-to-medium-business-security/security-awareness-platform)
conduct simulated phishing attacks.
[Provide your security team with access to up to date threat intelligence data, to keep](https://www.kaspersky.com/enterprise-security/threat-intelligence)
pace with the latest tactics and tools used by cybercriminals.

[Read the full version of the report on Securelist.com.](https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/)

Kaspersky
Following the arrest in 2018 of a number of suspected leaders of the notorious
Fin7/Carbanak cyber-gang, the group was believed to have disbanded. But Kaspersky Lab
researchers have detected a number of new attacks by the same groups using GRIFFON
malware.


-----

### Related Articles Press Releases

## Share of high severity cybersecurity incidents facing organizations increases by half in a year

Research based on the analysis of incidents reported to customers of Kaspersky
Managed Detection and Response (MDR) has revealed that the share of critical
incidents experienced by organizations increased from one-in-ten (9%) in 2020, to onein-seven (14%) in 2021.

[Read More >](https://www.kaspersky.com/about/press-releases/2022_share-of-high-severity-cybersecurity-incidents-facing-organizations-increases-by-half-in-a-year)
## Kaspersky research finds third-party automotive apps bear significant privacy risks

Mobile applications for connected cars provide various features to make life easier for
motorists, but they can also be a source of risk. Kaspersky experts have analyzed 69
popular third-party mobile applications designed to control connected cars and defined
the main threats drivers may face while using them. They found out that more than half
(58%) of these applications use the vehicle owners’ credentials without asking for their
consent. On top of this, one in five of the applications have no contact information,
which makes it impossible to report a problem. These and other findings are published
in the new Kaspersky Connected Apps report.

[Read More >](https://www.kaspersky.com/about/press-releases/2022_kaspersky-research-finds-third-party-automotive-apps-bear-significant-privacy-risks)
## AV-TEST finds Kaspersky VPN Secure Connection stands out for its streaming capabilities

Kaspersky VPN Secure Connection was awarded among the best VPNs for streaming,
gaming and torrenting for private users by AV-TEST, the independent IT security
institute.

[Read More >](https://www.kaspersky.com/about/press-releases/2022_av-test-finds-kaspersky-vpn-secure-connection-stands-out-for-its-streaming-capabilities)


-----