Cyber Threat Actor: Carbanak
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
3 incidents |
|---|
Profile
The threat actor known by the aliases Badbullz, Navistar, Carbanak, Carbanak Gang, Group 237 and also tracked as FIN7 or Anunak is a financially motivated cybercrime group that has been publicly linked to Russia. Open‑source reporting describes the group as a Russian‑speaking criminal syndicate that has operated since at least the mid‑2010s, focusing on the theft of payment card data and financial assets from banks, retailers and hospitality companies. The actor’s infrastructure has been observed in multiple countries, but the attribution to Russia is repeatedly cited in the source material linking the group to Russian‑speaking cybercriminal forums and to the use of Russian‑language tools. The group’s primary objective is monetary gain, achieved through the theft of credit‑card numbers, bank account credentials and the subsequent sale of that data on underground markets. Their operations are characterized by a blend of custom malware and legitimate administrative tools, allowing them to remain undetected for extended periods while moving laterally inside victim networks.
The group’s typical tactics begin with spear‑phishing emails that contain malicious Microsoft Office documents or URLs leading to the download of a loader such as BOOSTWRITE or a Dridex‑based dropper. Once initial access is obtained, the attackers frequently deploy the Carbanak (also known as Anunak) backdoor, which provides remote command‑and‑control capabilities, credential harvesting and the ability to execute arbitrary commands on compromised hosts. In several campaigns the gang has combined Carbanak with the Dridex malware, using Dridex as an initial infector to gain a foothold and then deploying Carbanak for deeper network penetration. Living‑off‑the‑land techniques are common, including the abuse of PowerShell, Windows Management Instrumentation and legitimate system utilities to avoid detection. The actors have also demonstrated a supply‑chain focus, compromising point‑of‑sale vendors such as Oracle’s MICROS division and its partners (Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell) to push malicious updates or steal support credentials that could be used to reach downstream retail environments. Custom post‑exploitation tools like the RDFSNIFFER RAT and the Swiftbelt enumeration utility have been observed in later operations, showing an evolution toward memory‑only payloads and stealthy command‑and‑control channels.
Notable publicly reported operations include the 2016 intrusion of Oracle’s MICROS point‑of‑sale division, where attackers infected hundreds of systems and harvested support‑portal credentials that could be used to push card‑skimming malware to retail terminals. In 2018 the group was linked to the breach of Saks Fifth Avenue and Lord & Taylor, resulting in the theft of more than five million payment card records that were later offered for sale on dark‑web markets. The same year, a Burgerville restaurant chain suffered a similar card‑data scrape attributed to the actor, and in 2019 FIN7 actors were observed loading a new RAT into the software of ATM manufacturer NCR Corporation, demonstrating a shift toward targeting automated teller machines. Additional reporting notes the group’s involvement in ATM malware campaigns and the use of the Carbanak backdoor in multiple financial‑sector intrusions across Europe and the United States. These campaigns illustrate the actor’s ability to move from vendor supply chains to end‑point retail and banking systems while maintaining a focus on financial profit.
Attribution to Russia is supported by multiple sources that describe the gang as Russian‑speaking and note its appearance in Russian cybercrime forums, although the material does not assert direct state sponsorship. The actor is consistently described as a criminal consortium rather than a state‑aligned APT, with motivations centered on monetary gain. The combination of spear‑phishing, credential‑stealing malware, supply‑chain compromises and the use of both custom and legitimate tools defines the group’s operational pattern. Their continued activity, despite occasional arrests of members, indicates a resilient and adaptable criminal enterprise that persists in targeting payment‑card ecosystems worldwide.
