Fin7 sysadmin pleads guilty to running IT for billion-dollar crime syndicate

A Fin7 sysadmin has pled guilty – the first higher-up to be found guilty of hacking in a US court.

The long back story begins like this: Once upon a time, there was a cybercrime wolf syndicate who pulled on the sheepskin of a penetration testing company, calling itself Combi Security and offering absolutely zero services or protection… but lots of penetration.

We know it better as Fin7, also known as Carbanak Group or Navigator Group, among many other names. Starting in at least 2015, the notorious cybercrime network carried out a highly sophisticated malware campaign targeting more than 100 US companies. Those companies included big retailers like Lord & Taylor and Saks Fifth Avenue but were predominantly in the restaurant, gaming, and hospitality industries: all victims of Fin7’s hacking into thousands of computer systems and theft of millions of customer credit and debit card numbers.

The Feds arrested three high-ranking members of Fin7 in August 2018. All were Ukrainian nationals. And on Wednesday, one of those three – Fedir Oleksiyovich Hladyr – pled guilty to being the sysadmin who ran the group’s IT operations.

Each of those three had been charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft. But in the plea agreement filed in the US District Court for the Western District of Washington in Seattle on Wednesday, prosecutors dropped it down to just two charges: conspiracy to commit wire fraud, and conspiracy to commit computer hacking. All together, Hladyr’s looking at a prison sentence of no more than 25 years, plus fines of up to half a million dollars.

This makes Hladyr the first member of Fin7 to be found guilty of hacking-related crimes in a US court.

Same old admin duties, but for crooks

Fin7 employs dozens of computer experts in multiple countries, as the plea agreement describes. And in August 2015, it hired Hladyr to be a systems administrator.

He thought he was hired by a legitimate computer security outfit called Combi Security: one that supposedly provided pen-testing services to a variety of companies around the world. On its public website, Combi presented itself as “one of the leading international companies in the field of information security.”

Nothing could have been further from the truth. Hladyr soon figured out that he’d been hired by a cybercriminal network that carried out attacks primarily through phishing emails and social engineering to encourage victims to click on malware sent as attachments in boobytrapped emails.

That malware connected compromised computers to a network of command and control (C&C) servers located around the world. Through that network, Fin7 uploaded additional malware onto victim computers, conducted surveillance, and maintained remote control.

Fin7 uses these breached computers to move laterally through networks, locating sensitive financial information such as payment card data that it can steal and sell. The syndicate also seeks out point-of-sale (POS) systems, through which it can remotely upload malware onto POS terminals used to process payment card transactions at thousands of retail and commercial locations across the US.

He didn’t know all this at first, but it didn’t take Hladyr long to find out that Combi wasn’t legit. One of his duties was to provide dozens of Fin7 members with access to communication and C&C servers, including Jabber, JIRA, HipChat, and custom botnet control panel servers, among many others.

No, Combi wasn’t legit. It was a front company for Fin7 – an organization trying to, and succeeding at, breaching network security of victim companies.

How do you know when a pen-testing company isn’t really a pen-testing company? As the plea agreement outlines, at no time did Hladyr come across…

• Contracts for Combi to perform pen-testing for clients.
• Reports or recommendations from Combi to its purported clients explaining what vulnerabilities had been discovered in their network security and how they might be fixed.
• Any measures taken to safeguard “clients” from misuse of confidential information taken from their networks, such as network credentials, network maps, and sensitive business information.

Hladyr rose through the ranks quickly, taking on ever more responsibility. He became responsible for aggregating stolen payment card information, providing technical guidance to Fin7 members, issuing assignments to Fin7 hackers, and supervising teams of hackers. He’d also routinely relay orders from the head honchos to the group’s underlings.

Fin7 stole information for tens of millions of payment cards from US companies, then sold it on places such as Joker Stash – an underground carding shop that regularly sells batches of freshly ripped-off payment card details.

After carders buy those payment card details, they can then put all the legitimate card details onto the fresh magnetic stripe of a blank card, thereby cloning the card and using it to buy high-ticket items.

Hladyr took part in uploading and organizing all that stolen card data, and the malware that got it into Fin7 hackers’ hands. He created HipChat user accounts for Fin7 members, and he created the “rooms” where they shared and organized the card data.

While Hladyr was working as sysadmin for Fin7, a number of the companies they victimized went public about the data breaches.

Chipotle was one: the restaurant chain reported a data breach in 2017 that affected most of its 2,250 restaurants. Its POS devices had been infected with malware that scraped millions of payment cards from unsuspecting restaurant-goers. More than 100 fast food and restaurant chains were infected by that malware.

Jason’s Deli was another: in January 2018, it publicly disclosed a data breach that involved about two million payment cards.

Hladyr’s take: he made at least $100,000 for his participation.

As far as how much Fin7 raked in, the Feds say that its criminal activities led to over $100 million in costs to financial institutions, merchant processors, insurance companies, retailers, and individual cardholders. Those costs include the fraudulent purchases made with the stolen card details, scrubbing Fin7 malware from compromised systems, and slogging through law enforcement investigations.

So that’s one chapter in the story, but it’s far from over. Fin7 is still going strong. In fact, as of last year, Gemini Advisory – a threat intelligence firm – estimated that Fin7 was pulling in at least $50 million a month. Given that they’ve been at this for years, they likely have at least a billion dollars on hand, according to Dmitry Chorine, Gemini Advisory cofounder and CTO.

That’s a lot of money to devote to staying hidden, he said.

Not to take away from the investigative and prosecutorial work that led to the first-ever Fin7 guilty verdict, mind you. But with money like that, these guys are playing the long game. There are many more chapters in the Fin7 book yet to wind up in the courts.

Stay tuned for the next two chapters: Already in hand are the two other alleged Fin7 members, Dmytro Fedorov and Andrii Kolpakov, arrested and indicted along with Hladyr in August 2018.