Researchers have dealt a significant blow to the notorious Russian cyber gang FIN7, exposing a network of over 4,000 malicious domains and dozens of IP addresses across Russia and Estonia.
Once declared extinct, the financially motivated threat actor FIN7 recently reappeared in the ransomware game with upgraded tools and some never-before-seen tactics.
Three cross-organization teams from Silent Push, Stark Industries Solutions, and Team Cymru collaborated for several months to deliver a major setback to the gang.
Researchers have identified two clusters of potential FIN7 activity and listed more than 4,000 domains used by the gang.
“The two clusters indicate communications inbound to FIN7 infrastructure from IP addresses assigned to Post Ltd (Russia) and Smart Ape (Estonia), respectively,” Team Cymru’s report reads.
Multiple domains, such as thomsonreuter[.]info, hotnotepad[.]com, dhlpost[.]nl, and others were used in massive global phishing and malware campaigns targeting the Louvre, Meta, and Reuters. Silent Push previously reported that hackers were after high-profile brands and organizations from a wide range of industries.
Hackers won’t be able to secretly use 25 IP addresses for hosting domains. To hide their IPs, FIN7 used Cloudflare services.
Hosting provider Stark promptly suspended any services that were still active. The company indicated that IP addresses were acquired from one of the resellers. The IPs led to two clusters of malicious activities.
One involved SmartApe, an Estonian cloud-hosting provider. In many cases, the hosted content was a spoofed website. The second cluster was established at Post Ltd, a broadband provider operating in the Northern Caucasus region in southern Russia.
“In the case of both clusters, the identified hosts were reported to Stark, and the customers’ services were suspended,” the researchers at Team Cymru said. “We also reported our findings to the other hosting providers mentioned in advance of publication.”
Researchers believe that such action demonstrates the value of collaboration. They plan to continue to keep the spotlight on FIN7 and other similar groups.
FIN7 was established in 2012. The gang is sometimes referred to as Carbanak or Navigator. FIN7 is best known for its highly sophisticated malware campaign targeting US companies in the hospitality and gaming industries.
In 2021, the FBI identified high-level managers of the gang’s highly organized cybercriminal business model. A high-level organizer of FIN7 was sentenced to ten years in prison. FIN7 established several fake cybersecurity companies. One of them was named Combi Security, which had a phony website and no legitimate customers.
Your email address will not be published. Required fields are markedmarked