A group of cyberattackers that has been targeting Canadian businesses in financially-motivated hacks since at least 2013 has been identified in a new report.
Cybersecurity firm FireEye has dubbed the group of attackers as 鈥淔IN10鈥 in a report titled 鈥淔IN10 Anatomy of a Cyber Extortion Operation鈥 released on Friday morning.
FIN10 operates in North America with a predominant focus on Canadian organizations, particularly casinos and mining companies.
FireEye believes the group is able to infiltrate an organization鈥檚 networks through targeted phishing email scams and social engineering.
Once the attackers have gained access to a business鈥 records, files, correspondence and customer information, they will post proof of the stolen data on publicly accessible websites, the report says.
They will then try to extort their victims by demanding payment in Bitcoin, a type of online 鈥渃ryptocurrency鈥 that is difficult to trace, for not releasing sensitive information, the report said.
The requested sums ranged from 100 to 500 Bitcoins (approximately US$124,000 to $620,000 as of mid-April), according to the report.
In some cases, if the targets have failed to pay up, FIN10 has destroyed integral Windows systems by deleting critical operating system files.
The cybersecurity firm attributes a number of cases beginning in at least 2013 and continuing through to 2016 to one group or network of attackers based on the similarity of TTPs (Tactics, Techniques and Procedures) used in the crimes.
Kevin Mandia, the CEO of FireEye and a leading cybersecurity expert, told CTV News Channel on Friday that they don鈥檛 know how many people are working for FIN10 but that their 鈥渇ingerprints鈥 are perceptible in 10 different breaches.
Tech analyst, Carmi Levy, called FireEye鈥檚 findings 鈥渏arring鈥 and said the report should serve as a warning to all companies. He said FIN10 is taking advantage of human error with email phishing, which means any organization is vulnerable to these types of attacks even with the most advanced anti-virus software.
鈥淭he fact that it鈥檚 employees of these companies that are literally holding the door open and allowing hackers in is frightening beyond words,鈥 Levy said. 鈥淚t should be a wakeup call to all companies that they need to incorporate the human element into their security planning.鈥
Levy advised companies to prioritize training their employees so they can recognize what phishing emails look like, how to identify rogue links, and what they should do when they receive a suspicious email. He also said organizations should have an individual or team available in real-time to answer security-related questions as they come up.
Mandia also recommended that companies ensure they have up-to-date spear phishing technology that can detect malicious emails that are duping employees.
How FIN10 infiltrates networks:
鈥 The cyberattackers will craft legitimate-looking emails to lure targets into clicking on a link that directs them to a FIN10-controlled server.
鈥 In one example, a phishing email referenced an employee questionnaire and another one pointed to an undated holiday schedule for organizational staff.
鈥 FireEye believes the cyberattacks have likely created emails to look like LinkedIn emails in order to trick targets into believing they鈥檙e legitimate.
鈥 FIN10 is able to establish a foothold into the victims鈥 networks using a virus called Meterpreter, or Trojan malware in one case.
鈥 The group will also blatantly disrupt or even delete critical systems in a way that鈥檚 easily detectible, which FireEye believes they do intentionally so the victim is aware of the threat.
FIN10 at a glance:
Where are they from?
In at least one instance, the attackers said they were targeting Canada in retaliation for its economic sanctions against Russia, but FireEye believes the poor quality of the Russian language used in the posts makes it more likely the group is pretending to be Russian to avoid detection.
They have also posed as a Serbian hacktivist group called 鈥淭esla Team鈥 but FireEye believes it鈥檚 unlikely they鈥檙e affiliated with the group.
Their focus on North American-based companies could suggest they鈥檙e familiar with the region, the report said.
Who was targeted in the attacks?
FIN10 has conducted their attacks against North American organizations predominantly in Canada. Casinos and mining companies were identified as the primary targets.
When did it start?
FireEye said the earliest known attacks were in 2013. They have detected ransom requests and intrusions from that time until at least 2016. The report said it鈥檚 鈥渉ighly probable鈥 the group is still operating.
What did they want?
FIN10 is seeking financial gain through theft and extortion. The group gains access to companies鈥 networks using phishing emails and then demands payment in a cyber currency called Bitcoin to not publicly release the sensitive data.
The requested sums ranged from 100 to 500 Bitcoins (approximately US$124,000 to $620,000 as of mid-April).
How did they respond when their demands weren鈥檛 met?
The cyberattackers have destroyed important Windows systems by deleting critical operating system files in a few instances.
What is their end goal?
FireEye believes the primary goal of the attackers is to steal corporate business data, files, records, correspondence and customer personal information in order to extort organizations.
The cybersecurity firm also suggested that FIN10 may be expanding their targets beyond casinos and mining companies.
Levy also said he thinks FIN10 will target other organizations beyond casinos and mining companies.
鈥淭hey鈥檙e not going to stop there. They never do,鈥 he said. 鈥淭hey will continue to use the tools of opportunity to identify willing and easy victims and we need to recognize that those victims can exist in any market sector and anyone is vulnerable.鈥
