United States SEC personnel targeted by cybercriminals
FireEye identifies FIN7 threat group behind phishing campaign; motive unknown for now
FireEye has revealed that its FireEye as a Service (FaaS) unit identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organisations in late February 2017.
Based on multiple identified overlaps in infrastructure and the use of similar tools, tactics, and procedures (TTPs), it is suspected that this campaign is associated with the financially motivated threat group known as FIN7.
FIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute its malware. It has been observed FIN7 attempts to compromise diverse organisations for malicious operations – usually involving the deployment of point-of-sale malware – primarily against the retail and hospitality industries.
All of the observed intended recipients of the spear phishing campaign appeared to be involved with SEC filings for their respective organisations. Many of the recipients were even listed in their company’s SEC filings. So far, eleven targeted organisations have been identified in the following sectors: financial services, transportation, retail, education, IT services and electronics
All these organisations are based in the United States, and many have an international presence. It is expected that the targets of these spear phishing attempts to either work for U.S.-based organisations or be U.S.-based representatives of organisations located elsewhere. However, it is possible that the attackers could perform similar activity mimicking other regulatory organizations in other countries.
FIN7’s ultimate goal in this campaign has not been identified, as the FaaS team detected and contained the attack early enough in the lifecycle before any observable data targeting or theft. Previous FIN7 operations deployed multiple point-of-sale malware families for the purpose of collecting and exfiltrating sensitive financial data. The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions, ATM compromise, and other monetization schemes.
FIN7 can profit from compromised organisations in several ways. If the attackers are attempting to compromise persons involved in SEC filings due to their information access, they may ultimately be pursuing securities fraud or other investment abuse.
In light of this discovery, FireEye implemented a Community Protection Event – FaaS, Mandiant, Intelligence, and Products – to secure all clients affected by this campaign. In this instance, an incident detected by FaaS led to the deployment of additional detection measures by the FireEye Labs team after FireEye Labs Advanced Reverse Engineering quickly analysed the malware. Detections were then quickly deployed to the suite of FireEye products.