![]() The impacts of related UNC merges for 2020 activity added usage of code families LOADOUT, TAKEOUT and a BIRDWATCH variant into FIN7. During that time, five UNC groups were created to track various campaigns, which eventually were merged into our new splinter group of FIN7, following merge analysis later in 2021 that expanded our understanding of FIN7. 2020 Activity Brief: Heavy on the LOADOUTįIN7 was active during the spring and summer of 2020, conducting phishing campaigns and attempting to distribute LOADOUT and GRIFFON. Eight previously suspected FIN7 UNC groups, active since 2020, have recently been merged into FIN7, confirming the resilience of actors associated with the threat group. Those groups’ activity spans as far back as 2015 and as recently as late 2021, across 36 separate intrusions. To date, we suspect 17 additional UNCs of being affiliated with FIN7 with varying levels of confidence however, those groups have not been formally merged into FIN7. This is especially notable in the ransomware ecosystem, where Mandiant has observed individual members shift teams, and teams migrate between affiliate programs commonly adopting different TTPs across intrusions depending on who they are collaborating with or gaining access from at a given time. It is also common for us to observe multiple threat groups engaging in intrusion operations within close temporal proximity, sometimes even using the same access method within hours or minutes of each other. Rigorous documentation of technical evidence is critical for modern cybercrime attribution, when considering the fluid and opportunistic nature of cybercriminal operations, as well as individual operators’ narrow allegiances to criminal organizations. Merge evidence is sourced from analysis of attacker infrastructure, intrusion tradecraft, modus operandi, and how specific code is employed by the groups we research. Our attribution methodology requires multiple layers of overlaps within collected threat data to merge suspected FIN7 UNC groups into our core FIN7 cluster. In this blog post, we focus on examining the most recent FIN7 intrusion operations, as well as the attribution methodologies that we used. Since then, we’ve published multiple blog posts on FIN7 operations, with more extensive content available on Mandiant Advantage. We first disclosed threat reporting and publicized research on FIN7 in 2017. Mandiant is also tracking multiple, notable campaigns as separate UNC groups that we suspect are FIN7, including a “BadUSB” campaign leading to DICELOADER, and multiple phishing campaigns leveraging cloud marketing platforms leading to BIRDWATCH.Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time. ![]() We also observed FIN7 use POWERPLANT as their first stage malware instead of LOADOUT and/or GRIFFON in newer intrusions. FIN7’s initial access techniques have diversified to include software supply chain compromise and the use of stolen credentials, in addition to their traditional phishing techniques.We also identified new versions of the BIRDWATCH downloader being developed, which are tracked as CROWVIEW and FOWLGAZE. FIN7 continued to leverage PowerShell throughout their intrusions, including in a new backdoor called POWERPLANT, which FIN7 has continually developed over the last two years.We also highlight notable shifts in FIN7 activity over this time, including their use of novel malware, incorporation of new initial access vectors, and likely shift in monetization strategies. This process allowed us to merge eight previously suspected UNC groups into FIN7 in January 2022. This blog post draws on organic research from both historical and recent intrusions that Mandiant directly investigated, and describes the process of merging multiple UNC groups into FIN7. With the purported shift to ransomware operations, Mandiant is publishing our research on the evolution of FIN7 which we haven’t publicly written about since Mahalo FIN7, published in 2019. Recent public research asserts threat groups sharing overlaps with FIN7 transitioned to targeted ransomware operations involving REVIL, DARKSIDE, BLACKMATTER, and ALPHV ransomware. Create a Free Mandiant Advantage Account.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |