Ukrainian cybercriminal gets five years in prison
A court in the United States yesterday sentenced a Ukrainian national to five years in prison for his role in a decades-long global cybercrime that stole more than 20 million loyalty card records and generated more than $1 billion in proceeds.
Denys Iarnak, 32, served as a penetration tester for the FIN7 cybercrime nexus, also tracked as the Carbon Spider and Gold Niagara. The Russia-based group has recently been linked to using REvil and Darkside ransomware.
He was arrested in Thailand in 2019 and then extradited to the US to stand trial. Two other members of the collective arrested in 2018 have previously been imprisoned for similar offences.
“Iarmak and his conspirators compromised millions of financial accounts, causing over a billion dollars in losses to Americans and costs to the American economy,” said Assistant Attorney General Kenneth Polite of the Justice Department’s Criminal Division.
“Protecting businesses online – both large and small – is a top priority for the Department of Justice. We are committed to working with our international partners to hold such cybercriminals accountable, regardless of where they live or how anonymous they choose to be.”
US Attorney Nicholas Brown of the Western District of Washington, who led the prosecution, added: “Iarmak was directly involved in developing phishing emails with embedded malware, infiltrating victim networks and extracting data such as payment card information.
“To make matters worse, he continued his work with the criminal enterprise FIN7 even after the arrest and prosecution of co-conspirators. He and others in this group of cybercriminals used hacking techniques to essentially rob thousands of multi-chain restaurant locations simultaneously from the comfort and safety of their keyboards in distant lands.”
The court heard how FIN7 accessed the networks of companies in the US, UK, Australia and France and stole records from over 6,500 point-of-sale terminals in over 3,600 locations. Notable victims in the US include restaurant chains such as Chipotle and Panera, and retailers Saks Fifth Avenue and Lord & Taylor.
It generally favored hospitality companies, which it targeted with tailored phishing emails followed by phone calls to the intended victims, lending additional legitimacy to its decoys.
After convincing its targets to open and run the file attached to the email, FIN7 used a customized version of the Carbanak malware and other tools to access and steal customers’ payment card details. Much of this data was later offered for sale on the dark web.
Note that the group has been tracked as Carbanak by some researchers, but since other cybercrime groups are known to use Carbanak, calling FIN7 by that name may not be entirely accurate.
Iarmak joined the group sometime in November 2016 and worked for them for a period of two years. He specialized in using the legitimate Jira project management software package that FIN7 hosted on various private virtual servers to coordinate the gang’s activities and manage their network incursions.
Authorities believe he received substantial compensation for his work for FIN7, which allegedly “far exceeded comparable legal employment in Ukraine”.
Still very active
Despite the arrests and convictions of key members of FIN7, the group remains active and continues to develop its tactics, techniques and procedures.
In early April, researchers at Mandiant, who were instrumental in tracking FIN7, released new information about the group’s latest activities.
Recently, it has enthusiastically turned to supply chain compromise to gain access to its intended victims; Mandiant revealed last year that FIN7 compromised an online digital products retailer and changed several download links to point to an Amazon S3 bucket containing trojanized versions containing an agent installer used to deploy a new backdoor called Powerplant was used.
Mandiant said Powerplant’s framework allows for a “huge” breadth of capabilities depending on which modules are served by the command and control (C2) server, and is therefore highly dangerous.