DOJ Arrests Hackers Connected to Breach of Over 100 US Companies

Three members of an international cybercrime group known as “FIN7” have been arrested for hacking a number of U.S. companies, according to charges filed in the U.S. District Court in Seattle.

The men, allegedly high-ranking members of the hacking group, were each charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft, according to three federal indictments unsealed on Aug. 1. The members, all Ukrainian nationals, were identified as Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30.

FIN7 members were engaged in “highly sophisticated malware campaign targeting” in over 100 U.S. companies, largely in the restaurant, gaming, and hospitality industries, according to the Department of Justice (DOJ). In total, they managed to steal over 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.

Some of the affected restaurant chains in the United States were Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli. Breaches also took place in other countries including in the United Kingdom, Australia, and France.

“Cybercriminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong,” said U.S. Attorney Hayes in a statement.

The group’s members “targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet,” Assistant Attorney General Benczkowski said.

The darknet is an underground online marketplace accessible only via specialized software and used by cyber mercenaries to sell data. The marketplace contains a public market, invite-only submarkets, and hacker-for-hire services ready to breach any network in any country.

Foreign authorities at the request of U.S. officials arrested Ukrainian Fedir Hladyr and a second FIN7 member, Dmytro Fedorov, separately, in January.

Hladyr, who was arrested in Dresden, Germany, is currently being held in Seattle, pending trial. He allegedly was the group’s systems administrator who maintained servers and communication channels and held a managerial role. His trial is scheduled for Oct. 22.

The second member, Fedorov, was a high-level hacker and manager who allegedly supervised other hackers tasked with breaching the computer systems. He was arrested in Bielsko-Biala, Poland, and remains detained there, pending an extradition to the United States.

The third FIN7 member, Ukrainian Andrii Kolpakov, was arrested in June by foreign authorities in Lepe, Spain. He was also allegedly supervising a group of hackers. Currently, he remains in custody in Spain, pending extradition to the United States.

Special Agent in charge Jay S. Tabb Jr. said the naming of the FIN7 leaders signifies a major step towards “dismantling this sophisticated criminal enterprise.”

FIN7, a group with dozens of members, would typically conduct a cyber attack with a “phishing” email to a company employee. Inside it would be an attached file, often an innocent looking Microsoft Word document with embedded malware, according to a fact sheet created by the DOJ. The email’s text masqueraded as a legitimate business message to lead the recipient to open the attachment, activating the malware.

“In many cases, FIN7 would accompany the phishing emails with a telephone call to the victim company employee about the same topic, which was intended to legitimize the phishing email,” the fact sheet said.

As soon as a victim’s computer is breached it would be connected to one of FIN7’s command and control servers located around the globe. FIN7 could then download more malware to the computer and remotely send commands to receive data. The group used the notorious “Carbanak banking malware” that has been used by other cybercriminals in wide-reaching attacks on the banking industry

In order to provide a legitimate front, FIN7 created a fake company dubbed Combi Security, to recruit more hackers.