View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 27, 2020updated 28 May 2020 8:05am

JIRA Tickets, Jabber Servers and… Gmail Accounts? FBI Papers Reveal Cyber Criminals’ IT Infrastructure

Unsealed court documents reveal highly organised, WFH, crew

By CBR Staff Writer

The FBI has arrested a hacker at the heart of one of the world’s most prolific hacking crews, Fin7, newly unsealed court documents show.

Ukrainian national Denys Iarmak, 31, whose resume included stints as a systems administrator, helped steal data including millions of credit card details from casinos, credit unions and Trump Hotels.

Fin7 has been active since at least September 2015 and typically made its initial intrusion via personalised phishing attacks.

The FBI said: “Based on initial estimates, this hacking scheme has stolen tens of millions of payment card numbers and has caused over $100 million in losses to US financial institutions and companies.”

See also: Russian Malware Kingpin Indicted

Court documents first revealed by Vice’s Motherboard detail a highly organised crew, if one which made some serious (and welcome) operational security errors.

Fin7 used private JIRA servers to raise tickets on specific companies they were targeting. Its members also used a wide range of encrypted messengers run on private servers, including Jabber and the late HipChat. It also used the messenger services Mumble, Telegram, Threema and Viber.

The cyber crime organisation exploited a “wide variety” of digital currencies, including Binance, Electro, EXMO.com and Monero.

Content from our partners
The growing cybersecurity threats facing retailers
Cloud-based solutions will be key to rebuilding supply chains after global stress and disruption
How to integrate security into IT operations

The FBI gained significant amounts of intelligence by cooperation with law enforcement in other countries, which allowed them to gain access to both a mobile phone and a laptop while members of the group that they were targeting were on holiday, the court documents reveal.

Fin7 Hackers: WFH Since 2015

“The hacking group does not have a central office or work location”, the court documents note. “Instead [it] uses a distributed work force that relies on a secure, virtual work environment.”

Many of the group’s members provided true names and addresses via encrypted Jabber communications to “certain high-level members of the group” in order to get paid for their work.

Iarmak, meanwhile, used a Gmail account for certain communications that contained emails featuring his passport and other ID documents. This also revealed communications with antivirus companies, that were later forward on to other members of the hacking group.

These revealed that Fin7 would regularly test their malware against offline versions of the AV software to see if it detected it.

Iarmak, who went by the handle GakTus, was extradited from Thailand.

The story was first reported by Motherboard’s Joseph Cox, after a tip-off from George Washington University’s Seamus Hughes.

 

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED
THANK YOU