FireEye has identified a set of financially motivated intrusion operations being carried out by an actor we have dubbed FIN10.
Within these clusters of activity, the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. We have observed FIN10 targeting organizations in North America, predominately in Canada.
FIN10 primarily relies on publicly-available software, scripts and techniques to gain a foothold into victims’ networks. The threat group then posts proof of the stolen data on publicly accessible websites. Failure to pay the threat group could result in the public release of stolen data and potential disruption or destruction of the victim’s information assets and systems.
In this report, we describe FIN10’s activities and tactics, techniques and procedures (TTPs), and provide a glimpse into how they execute their operations.
Background
FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10…Click HERE to read full report.