← Home·Gallery·Techniques
Threat Intelligence Tarot
Major Arcana · 14
Criminal (Eastern Europe)
G0046
risk 4/5
The Merchant
FIN7
Carbanak Group · Carbon Spider · ALPHV affiliate
RestaurantsHospitalityRetailFinancial services
Active since ~2015 · Financial theft, Point-of-sale compromise, Ransomware deployment
It wears a suit and carries a business card. FIN7 built a fake cybersecurity firm to hire penetration testers, then sent them to work against real targets. It is organized crime with an org chart and an HR department.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1059.001
PowerShell
Execution
T1071.001
Web Protocols
Command and Control
T1056.001
Keylogging
Collection
T1105
Ingress Tool Transfer
Command and Control
T1134
Access Token Manipulation
Privilege Escalation
T1068
Exploitation for Privilege Escalation
Privilege Escalation
Notable Operations
  • Applebee's, Arby's, Chipotle POS compromise
  • Over $1B stolen from global businesses
  • Fake security company 'Combi Security' as recruitment cover
  • Carbanak malware campaigns against banks
Defenses
  • Point-of-sale network isolation and P2PE encryption
    PCI DSS
  • Email filtering blocking macro-enabled documents
    CIS Control 9
  • Employee security awareness for restaurant/hospitality staff
    NIST CSF: PR.AT
  • Endpoint detection and response on POS terminals
    CIS Control 10
Reversed: Their Weakness
FIN7's elaborate organizational structure became its weakness - three members were identified, arrested, and convicted, in part because of the operational paper trail that comes with running a fake company.

Share this adversary profile

swipe to browse

← PreviousThe Charmed OneNext →The Reaper
Related Adversaries
The Specter
Lazarus Group
5 shared TTPs
The Frozen Account
IcedID / Bokbot
4 shared TTPs
The Phantom
APT28
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.