A Ukrainian man was sentenced to five years in jail this week for his work with the financially motivated FIN7 cybercrime group. He is the third member of the group to be sentenced in the U.S. in recent years.
Denys Iarmak, 32, was previously arrested in Bangkok, Thailand, in November 2019 at the request of U.S. law enforcement, and was then transferred to U.S. custody in May 2020. The Department of Justice (DoJ) said he served as a "pen tester" for FIN7, which has been around since at least 2015 and is known for deploying point-of-sale malware against large chain companies across the retail, banking and hospitality sectors, including Chipotle Mexican Grill, Chili’s, Arby’s and Red Robin.
“Iarmak was directly involved in designing phishing emails embedded with malware, intruding on victim networks, and extracting data such as payment card information,” said U.S. Attorney Nicholas W. Brown of the Western District of Washington in a Thursday statement. “To make matters worse, he continued his work with the FIN7 criminal enterprise even after the arrests and prosecution of co-conspirators. He and others in this cybercrime group used hacking techniques to essentially rob thousands of locations of multiple restaurant chains at once, from the comfort and safety of their keyboards in distant countries.”
The DoJ detailed Iarmak’s two-year stint with FIN7 (from 2016 to 2018), where he frequently used legitimate project management and issue-tracking program JIRA, hosted on private virtual servers, to coordinate FIN7’s malicious activity and to manage the various network intrusions.
“JIRA allows team members to create ‘projects’ containing posted ‘issues’ under which other team members can make comments and share data,” according to the DoJ. “Under each issue, FIN7 members tracked their progress breaching a victim’s security, uploaded data stolen from the victim, and provided guidance to each other. As one example, Iarmak created a JIRA issue, to which he and other members of the cybergroup had access, for a specific victim company, and, on or about March 3, 2017, Iarmak updated that JIRA and uploaded data he had stolen from that company.”
In order to attack victims, FIN7 is known for sending carefully crafted, targeted emails with malicious attachments, and accompanying them with telephone calls to make them seem legitimate. The group typically then would use the Carbanak malware to access and steal payment card data for the business’s customers, which would ultimately be offered for sale through online underground marketplaces. In the U.S. the group stole more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations, with some victims incurring costs that exceeded $1 billion, according to the DoJ.
Other members of FIN7 have also been arrested and sentenced in the U.S. over the past year. In April 2021, FIN7 member Fedir Hladyr was sentenced to 10 years in prison, while in June 2021, FIN7 member Andrii Kolpakov was sentenced to seven years in prison.
Despite these sentences, the group remains active. Recently, researchers with Mandiant observed FIN7 compromising a website that sells digital products, in order to modify multiple download links to make them point to an Amazon S3 bucket hosting a legitimate remote management tool, which then deployed a new malware called PowerPlant to the victim’s system. The researchers said that the incident showed the group using the novel backdoor as its primary first-stage malware (as opposed to Carbanak), meaning that it continues to actively develop its toolset.
“Despite indictments of members of FIN7 in 2018 and a related sentencing in 2021 announced by the U.S. Department of Justice, at least some members of FIN7 have remained active and continue to evolve their criminal operations over time,” said Mandiant researchers in the recent analysis.