Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

“FIN10” Cybercrime Group Extorts Canadian Firms

A profit-driven cybercrime group tracked as FIN10 has been running an extortion operation mainly targeting organizations in North America, security firm FireEye reported on Friday.

A profit-driven cybercrime group tracked as FIN10 has been running an extortion operation mainly targeting organizations in North America, security firm FireEye reported on Friday.

A majority of the FIN10 attacks observed by FireEye have been aimed at mining companies and casinos in Canada. The hackers breached the targeted organization’s systems, obtained valuable data, and threatened to make it public unless a ransom was paid. Victims that refused to pay up had their data published online and their systems disrupted.

FIN10 has been around since as early as 2013 and its activities have continued through at least 2016. The first phase of its attacks has, at least in some cases, involved spear-phishing emails carrying links to servers controlled by the cybercrooks. The phishing emails were apparently crafted using data obtained from LinkedIn and other sources.

The early stage tools used by the attackers included software such as Meterpreter, the Splinter remote access trojan (RAT), and PowerShell-based utilities, including ones written by the hackers themselves.

The attackers then used compromised credentials, the Windows RDP service and tools such as Splinter RAT, PowerShell Empire and Meterpreter to maintain persistence and move laterally within the victim’s network. Their goal was to steal corporate business data, including correspondence and customer PII, which they could use to extort the victim.

Organizations that refused to pay had their data leaked and their systems and networks were often disrupted via batch scripts designed to delete critical files.

Victims were asked to pay between 100 and 500 bitcoins, which are worth hundreds of thousands of dollars. FireEye told SecurityWeek that some of the victims gave in to the extortion demands.

FIN10 has carried out its attacks claiming to represent various hacker groups, particularly hacktivists. In one operation they claimed to be a Russian group called “Angels_Of_Truth” and told their victim that the attack was carried out in response to Canada’s economic sanctions on Russia. Researchers determined, however, that the posts in Russian were likely written using online translation tools and not by a native speaker.

Advertisement. Scroll to continue reading.

DataBreaches.net reported in June 2015 that a group calling itself “Angels_Of_Truth,” claiming to be from Russia, breached the systems of Canada-based intermediate gold producer Detour Gold Corporation. At the time, the hackers leaked personal information of employees and customers, salary information, confidential deals, donation records, medical records, legal documents, invoices, performance reviews and other data.

In other attacks, the hackers claimed to represent “Tesla Team,” a Serbian hacktivist group. In one operation, the group introduced itself as Tesla Team, but later changed its name to “Anonymous Threat Agent.”

In order to increase their chances of making the victim pay the ransom, FIN10 sent emails to staff and board members of the targeted organization. The group also informed the media about its breaches, either to put pressure on the victim or to maximize the exposure of those who refused to pay, FireEye said.

Researchers believe that FIN10’s focus on North America could suggest the attacker’s familiarity with this region.

“The relative degree of operational success enjoyed by FIN10 makes it highly probable the group will continue to conduct similar extortion-based campaigns at least in the near term. Notably, we already have some evidence to suggest FIN10 has targeted additional victims beyond currently confirmed targets,” FireEye said in its report. “Furthermore, while FIN10 is predominantly financially motivated, as evidenced by its preferred monetization technique (i.e., extortion), it is plausible the group is also motivated, at least in part, by ego.”

Related: FIN7 Hackers Change Phishing Techniques

Related: Cybercriminals Target Employees Involved in SEC Filings

Related: “FIN6” Cybergang Steals Millions of Cards From PoS Systems

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Coro, a provider of cybersecurity solutions for SMBs, has appointed Joe Sykora as CEO.

SonicWall has hired Rajnish Mishra as Senior Vice President and Chief Development Officer.

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.