[BreachExchange] Accused Ringleader of FIN7 Hacking Group Pleads Guilty

[Destry Winant]

https://www.databreachtoday.com/accused-ringleader-fin7-hacking-group-pleads-guilty-a-15397

An accused ringleader of the notorious FIN7 hacking group, which
prosecutors say stole 15 million payment cards over several years, has
pleaded guilty to federal charges, according to court documents filed
in the case this week.

Andrii Kolpakov, who is a Ukrainian national, pleaded guilty to
charges of conspiracy to commit wire fraud and conspiracy to commit
computer hacking. He faces up to a 25-year federal prison term and a
$500,000 fine when he's sentenced, federal prosecutors note.

Kolpakov was considered a high-ranking member of FIN7 from when he
started working for the hacking group in 2016 to his arrest by law
enforcement in Europe in 2018, prosecutors say.

"Defendant Kolpakov served as a high-level hacker, whom the group
referred to as a 'pentester,' and was directly involved in breaching
the networks of numerous prominent U.S. businesses," according to the
plea agreement. "Defendant Kolpakov also managed other hackers tasked
with breaching the security of victims' computer systems. For
instance, on or about January 12, 2017, a FIN7 member introduced
himself to a new FIN7 recruit and indicated that Kolpakov would be his
supervisor."

During his time with the FIN7 hacking group, federal prosecutors
estimate that Kolpakov and others caused about $100 million worth of
losses to "financial institutions, merchant processors, insurance
companies, retail companies and individual cardholders," according to
the plea agreement.

Kolpakov was arrested by Spanish police in June 2018, and he was later
extradited to the U.S., where he initially pleaded not guilty,
according to documents from the U.S. District Court for the Western
District of Washington in Seattle (see: Feds Announce Arrests of 3
'FIN7' Cybercrime Gang Members).

In addition to Kolpakov, police arrested and charged two other FIN7
members, Dmytro Fedorov and Fedir Hladyr, who were also accused of
allegedly helping to lead the hacking group. Hladyr pleaded guilty in
2019, and his sentencing is scheduled for Dec. 11 (see: Credit Card
Theft Ringleader Pleads Guilty). The case against Dmytro is ongoing,
court records show.

FIN7 Activities

At its height, the FIN7 hacking group sent hundreds of spear-phishing
emails that targeted hospitality businesses, casinos and restaurant
chains to steal credit card data, according to federal prosecutors.
The gang allegedly stole at least 15 million payment card records from
U.S. businesses, resulting in over $100 million in losses over three
years, court records show.

FIN7 targeted dozen of business, including the restaurant chains
Arby's, Chili's, Chipotle Mexican Grill, Jason's Deli, Red Robin
Gourmet Burgers, Sonic Drive-In and Taco John's, according to the FBI.

Through a network of hackers mostly in Eastern Europe, the gang
created spear-phishing emails designed to resemble legitimate
messages, such as catering orders or reservation details. Those emails
often contained malicious attachments, which, if opened, infected the
company's computers, according to security analysts (see: The Art of
the Steal: FIN7's Highly Effective Phishing).

An example of a spear-phishing email sent by FIN7 (Source: Justice Department)

Gang members would typically call the targeted company to ensure that
someone got the messages and also digitally sign malware to help it
evade security tools, prosecutors say.

The initial phishing email and malicious attachments enabled FIN7 to
open a backdoor into a victim's network, and hackers could then move
laterally through the infrastructure, spread additional malware and
locate financial data and other sensitive documents.

The gang also infected point-of-sale machines with malware and would
then exfiltrate the data, according to prosecutors.

Once the FIN7 group had the credit or payment card number, the name of
the cardholder and the ZIP code, the stolen data was packaged and sold
on darknet forums, including Joker Stash, the court records show. At
one point, Chipotle reported nearly 4 million payment card records
stolen, while Jason's Deli had nearly 2 million records compromised.

Dozens of hackers worked for FIN7 between August 2015 and January
2018, prosecutors say, and the gang operated its own front company
called Combi Security to help hide its activities.

When police arrested Kolpakov in 2018, the plea agreement notes, he
was carrying a laptop, storage device and mobile phone that contained
"multiple thousands of payment card numbers and employee credential
information stolen from various U.S. victim companies through the
aforementioned hacking activity on behalf of the FIN7 hacking group."