FireEye Mandiant Threat Intelligence has graduated a financially motivated threat group to FIN11


Mandiant Threat Intelligence has promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. Details of FIN11’s various tactics, techniques and procedures in a report is available here.

In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity. There are significant gaps in FIN11’s phishing operations, but when active, the group conducts up to five high-volume campaigns a week. While many financially motivated threat groups are short lived, FIN11 has been conducting these widespread phishing campaigns since at least 2016. From 2017 through 2018, the threat group primarily targeted organizations in the financial, retail, and hospitality sectors. However, in 2019 FIN11’s targeting expanded to include a diverse set of sectors and geographic regions. At this point, it would be difficult to name a client that FIN11 hasn’t targeted.

Highlights include:

  • FIN11 is a newly graduated, financially motivated threat group that FireEye Mandiant Threat Intelligence assesses with moderate confidence is operating out of Commonwealth Independent States (CIS) nation.
  • FIN11 has impacted organisations in a wide variety of sectors and regions, globally. For example, in a single week, Mandiant observed campaigns targeting the pharmaceutical industry, shipping and logistics companies, and organisations across the globe. In addition to corporations, FIN11 has targeted entities such as academic institutions, government agencies, and public utilities.
  • Active since at least 2016, FIN11 has used widespread phishing campaigns to distribute malware. When active, FIN11 generally conducts multiple phishing campaigns a week, each with thousands of emails, and every month or so they modify their delivery tactics.
  • As of late, the group has been using hybrid extortion to monetise their operations. They deploy CLOP ransomware and threaten to release exfiltrated data in order to pressure their victims to paying extortion demands. These demands have ranged from a few hundred thousand dollars to as much as $10 million USD.