A U.S. cybersecurity company has tied together a string of high-profile hacker attacks at Canadian mining companies and casinos in a new report that alleges a single group or actor could be behind them all.
“They’ve proven to be very effective at breaking into organizations, they are in our opinion the most destructive threat actor to hit Canada, to date,” says Charles Carmakal, the Washington D.C.-based vice-president with cybersecurity researchers Mandiant, a subsidiary of FireEye Inc.
Mandiant and FireEye analyzed the tactics, techniques and procedures (TTPs), of about 10 seemingly unrelated hacks on Canadian companies from 2013 to 2016 and concluded that there were enough similarities to identify a single actor, which it named “FIN10.” FireEye’s nomenclature means that this is the 10th financially motivated attacker they have identified (they also have identified several state-sponsored attackers).
Mr. Carmakal says the group doesn’t behave like any of the other hackers FireEye has analyzed, not least because it only targets Canadian companies. Among other things, FIN10 often seeks to publicize its activities in complex subterfuge, in some cases e-mailing media pretending to be the victim of the hacks it has perpetrated.
“Nearly every other financially motivated threat actor that we deal with just steals data and sells it,” says Mr. Carmakal, who can’t identify any of the companies FireEye worked with to identify the hacker, though by comparing some of the published details some victims can be deduced.
The behaviour associated with FIN10 was to invade systems, download critical files (everything from proprietary documents to employee or customer personal information) and then threaten to release the documents on the open web if they are not paid a ransom in Bitcoin.
The individual or group behind these attacks engage in targeted spear-fishing e-mail attacks of specific companies in the mining and gaming space to lure employees (sometimes identified through LinkedIn) into clicking on a link or downloading an infected file that installs malicious software that begins attacking the company network.
This FIN10 entity used the same publicly available software tools in multiple attacks, typically relying on software called PowerShell Empire and Metasploit; ironically these tools are open-source softwares designed to help security researchers and penetration testers to ensure systems are protected against hackers.
FireEye believes the first attack by FIN10 was a months-long campaign to steal gigabytes of data from a Canadian miner in 2013, but no payments were made and FIN10 allegedly trashed the small mining company’s systems in retaliation. That pattern repeats in later cases when its demands were not met, causing company computers to crash or fail, which had the side-effect of drawing attention to the hack.
It doesn’t appear that it was able to cash in on its extortion demands until 2016, but since then has raked hundreds of thousands of dollars out of known victims.
“Requested sums ranged from 100 to 500 Bitcoins (roughly $124,000 to $620,000 as of mid-April 2017),” the report says. “Notably, we identified at least two victims who were issued the same Bitcoin address.”
There have been no new breaches in 2017, but FireEye says FIN10 has a habit of issuing new demands to victims who have paid the ransom, and some previous victims have received new demands this year.
FIN10 has claimed multiple identities over the years to throw off investigators, in one case pretending to be a state-sponsored Russian group.
One clue for investigators was the poor quality of the Russian language posts that claimed responsibility for a hack of Ontario gold miner Detour Gold Corp. in 2015. In an examination of statements from an entity referring to itself as “angels_of_truth,” researchers noted the syntax was “very similar to output obtained from online translating solutions, making it likely the attacker(s) are not native Russian speakers and were using this narrative to mislead attribution attempts.”
In other instances FIN10 referred to itself as Tesla Team. There was a real Serbia-based hacker cadre called Tesla Team that stopped operating around 2013, but there seems to be little connection between that group and the Canada-specific attacks attributed to them. In another instance, the attacker referred to itself as “Anonymous Threat Agent,” a name attributed to the hacks of Ontario’s Casino Rama in media reports from November, 2016.
Goldcorp, one of Canada’s largest gold miners, was also hacked in an extortion scheme in 2016. Following that incident, members of the mining industry got together to form the Mining and Metals Information Sharing and Analysis Centre (MM-ISAC), led by Rob Labbé, Teck Resources Limited’s director, information security. The group is slated to begin operation in July, 2017, but similar information-sharing groups already exist for industries like financial services, which are the more traditional targets of cybercriminals. Mr. Carmakal confirmed that FireEye would be sharing its FIN10 information with the new group.
Symantec’s global Internet Security Threat Report for 2016 showed that Canada was ranked 3rd in the world for number of data breaches, and ranked 10th as a source of malware and phishing. Symantec also reported that the mining industry gets more spam directed its way than any other in Canada: “61.9 per cent of all e-mails filtered by Symantec for this industry were spam.”
FireEye believes there are more victims who have yet to be identified and has shared its information with federal and provincial police who have been investigating several of the named hacks that appear to have been perpetrated by FIN10. Mr. Carmakal says the strange confluence of targets and behaviours has given police new theories about who might be behind FIN10.
“The money they’ve taken, the extortion they’ve engaged in, the disclosure of sensitive information they’ve released, the taunting of executives, the destruction of systems … you don’t typically deal with an actor that does that all of that that’s financially motivated,” he says.