Menu
Browse

Cyber Threat Actor: FIN7

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
Russia
0 incidents
Profile

FIN7 is a financially motivated threat group also known as Cobalt Group, Carbon Spider, and Carbanak, with operational ties to Russia based on observed targeting and infrastructure. The group has been active since at least mid-2015 and primarily seeks monetary gain through the theft of payment card data and financial credentials, as evidenced by its focus on banks, point-of-sale systems, and retail organizations across Europe and the United States. Its activities demonstrate a clear pattern of targeting sectors where financial transaction data is processed, including hospitality, retail, and banking, to enable fraudulent monetization of stolen information on underground markets.

The group’s tactics include deploying memory-resident malware loaders such as BOOSTWRITE to deliver payloads like the Carbanak backdoor and the RDFSNIFFER remote access tool without writing to disk, thereby evading traditional detection. It frequently employs spear phishing emails that mimic legitimate financial vendors or partners to gain initial access, a method observed in campaigns against institutions in Eastern Europe and Russia. FIN7 also uses tools designed to bypass Windows defenses, including registry-based persistence via regsvr32.exe, RC4-encrypted traffic, and JavaScript backdoors like more_eggs that are delivered through malicious Word documents or JPEG files that execute in memory. Additionally, the group has hooked into legitimate remote administration software, such as NCR’s Aloha Command Center Client, to manipulate authentication sessions and execute arbitrary commands on compromised systems, demonstrating a focus on manipulating trusted applications for stealthy data exfiltration.

Attribution to FIN7 is supported by technical overlaps in malware infrastructure and URLs observed in post-arrest activities, including a phishing campaign targeting bank employees in Romania and Russia that was linked to the group after several members were detained. The Cobalt Group designation, used interchangeably with FIN7 in threat intelligence reporting, has been associated with ATM malware deployments and suspected involvement in SWIFT banking system interference since at least late 2016. Notable operations attributed to the group include the theft of over five million payment cards from Saks Fifth Avenue and Lord & Taylor retail chains, the compromise of Burgerville’s systems leading to the exposure of customer credit and debit card details, and repeated targeting of restaurant brands such as Chipotle and Chili’s for similar financial data harvesting. These campaigns consistently resulted in large volumes of stolen card data being offered for sale on dark web marketplaces, underscoring the group’s persistent focus on financial profit through data theft.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
37 sources