Cyberattackers targeting Canadian businesses, new report says

A group of cyberattackers that has been targeting Canadian businesses in financially-motivated hacks since at least 2013 has been identified in a new report.

Cybersecurity firm FireEye has dubbed the group of attackers as “FIN10” in a report titled “FIN10 Anatomy of a Cyber Extortion Operation” released on Friday morning.

FIN10 operates in North America with a predominant focus on Canadian organizations, particularly casinos and mining companies.

FireEye believes the group is able to infiltrate an organization’s networks through targeted phishing email scams and social engineering.

Once the attackers have gained access to a business’ records, files, correspondence and customer information, they will post proof of the stolen data on publicly accessible websites, the report says.

They will then try to extort their victims by demanding payment in Bitcoin, a type of online “cryptocurrency” that is difficult to trace, for not releasing sensitive information, the report said.

The requested sums ranged from 100 to 500 Bitcoins (approximately US$124,000 to $620,000 as of mid-April), according to the report.

In some cases, if the targets have failed to pay up, FIN10 has destroyed integral Windows systems by deleting critical operating system files.

The cybersecurity firm attributes a number of cases beginning in at least 2013 and continuing through to 2016 to one group or network of attackers based on the similarity of TTPs (Tactics, Techniques and Procedures) used in the crimes.

Kevin Mandia, the CEO of FireEye and a leading cybersecurity expert, told CTV News Channel on Friday that they don’t know how many people are working for FIN10 but that their “fingerprints” are perceptible in 10 different breaches.

Tech analyst, Carmi Levy, called FireEye’s findings “jarring” and said the report should serve as a warning to all companies. He said FIN10 is taking advantage of human error with email phishing, which means any organization is vulnerable to these types of attacks even with the most advanced anti-virus software.

“The fact that it’s employees of these companies that are literally holding the door open and allowing hackers in is frightening beyond words,” Levy said. “It should be a wakeup call to all companies that they need to incorporate the human element into their security planning.”

Levy advised companies to prioritize training their employees so they can recognize what phishing emails look like, how to identify rogue links, and what they should do when they receive a suspicious email. He also said organizations should have an individual or team available in real-time to answer security-related questions as they come up.

Mandia also recommended that companies ensure they have up-to-date spear phishing technology that can detect malicious emails that are duping employees.

How FIN10 infiltrates networks:

• The cyberattackers will craft legitimate-looking emails to lure targets into clicking on a link that directs them to a FIN10-controlled server.

• In one example, a phishing email referenced an employee questionnaire and another one pointed to an undated holiday schedule for organizational staff.

• FireEye believes the cyberattacks have likely created emails to look like LinkedIn emails in order to trick targets into believing they’re legitimate.

• FIN10 is able to establish a foothold into the victims’ networks using a virus called Meterpreter, or Trojan malware in one case.

• The group will also blatantly disrupt or even delete critical systems in a way that’s easily detectible, which FireEye believes they do intentionally so the victim is aware of the threat.

FIN10 at a glance:

Where are they from?

In at least one instance, the attackers said they were targeting Canada in retaliation for its economic sanctions against Russia, but FireEye believes the poor quality of the Russian language used in the posts makes it more likely the group is pretending to be Russian to avoid detection.

They have also posed as a Serbian hacktivist group called “Tesla Team” but FireEye believes it’s unlikely they’re affiliated with the group.

Their focus on North American-based companies could suggest they’re familiar with the region, the report said.

Who was targeted in the attacks?

FIN10 has conducted their attacks against North American organizations predominantly in Canada. Casinos and mining companies were identified as the primary targets.

When did it start?

FireEye said the earliest known attacks were in 2013. They have detected ransom requests and intrusions from that time until at least 2016. The report said it’s “highly probable” the group is still operating.

What did they want?

FIN10 is seeking financial gain through theft and extortion. The group gains access to companies’ networks using phishing emails and then demands payment in a cyber currency called Bitcoin to not publicly release the sensitive data.

The requested sums ranged from 100 to 500 Bitcoins (approximately US$124,000 to $620,000 as of mid-April).

How did they respond when their demands weren’t met?

The cyberattackers have destroyed important Windows systems by deleting critical operating system files in a few instances.

What is their end goal?

FireEye believes the primary goal of the attackers is to steal corporate business data, files, records, correspondence and customer personal information in order to extort organizations.

The cybersecurity firm also suggested that FIN10 may be expanding their targets beyond casinos and mining companies.

Levy also said he thinks FIN10 will target other organizations beyond casinos and mining companies.

“They’re not going to stop there. They never do,” he said. “They will continue to use the tools of opportunity to identify willing and easy victims and we need to recognize that those victims can exist in any market sector and anyone is vulnerable.”