The US Department of Justice announced on August 1 that it had filed charges against “three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe,” called FIN7. Dmytro Federov, Fedir Hladyr, and Andrii Kolpakov have been charged with 26 felony counts each, including conspiracy, wire fraud, computer hacking, and identity theft. They are accused of hacking into “thousands of computer systems and [stealing] millions of customer credit and debit card numbers, which the group used or sold for profit.”

Who is FIN7, and why are these arrests so important?

FIN7 is, according to a Department of Justice fact sheet, “one of the most sophisticated and aggressive malware schemes in recent times.” The criminal organization used a front company purportedly headquartered in Russia and Israel called Combi Security to legitimize and recruit hackers to join the operation. Once on board, dozens of skilled hackers created and unleashed a variety of malware tools to infect and control computers at companies around the world. In the US alone, FIN7 attacked companies in 47 states, allegedly stealing more than 15 million customer card records from over 3,600 business locations. Not a small operation by any measure.

How Did the FIN7 Attacks Work?

FIN7 initiated most of its cyberattacks via phishing emails to company employees, focusing on fast-food and casual dining restaurants, hotels, casinos, and other businesses with high volumes of point-of-sale transactions.

Each email would discuss business-specific details to create a measure of legitimacy – when targeting a hotel chain, for example, the email would discuss “making a reservation, with details enclosed in the attachment (emphasis ours).” Emails to restaurants “might refer to placing a large catering order or voice a complaint about prior service or food quality, further described in an attachment.” FIN7 would often follow up with telephone calls to add credence to the emails. Attached to each email was a document, usually a Microsoft Word document or text file, and the goal was to induce employees to click the attachments, which were embedded with malware.

Infected computers would then connect to one of FIN7’s servers, located around the world. FIN7 was able to remotely add malware, send commands, and receive data from company networks through the victim’s computer – they could even take screenshots or video recordings of user activity to steal information.

One especially potent tool was an adaptation of the Carbanak malware used to steal over $1 billion from banks over a five-year period. FIN7 harvested credit, debit, and gift card information from legitimate purchases using these techniques—to the tune of 16 million payment cards—then resold that data through underground marketplaces on the darkweb.

What Do the Arrests Mean, and What Comes Next?

While the arrests of three high-profile members of the group (Hladyr was FIN7’s systems administrator, while Fedorov and Kopakov were supervisors) are certainly a victory for law enforcement, no one believes the threat has been completely mitigated. At the press conference announcing the indictments, US Attorney Annette Hayes described the investigation as ongoing: “We are under no illusion that we have taken this group down altogether. But we have made a significant impact,” said Hayes. “These hackers think they can hide behind keyboards in faraway places, and that they can escape the long arm of United States law. I’m here to tell you, and I think this announcement makes clear, that they cannot do that.”

There is plenty of work left to do. Cybersecurity experts FireEye issued a report further illustrating the breadth of FIN7’s reach and the sophistication of their operating methods. They concluded that the group was “a well-resourced operation,” where “novel tactics” and “innovation enabled their success.” FIN7’s creativity includes developing an entirely new form of command line obfuscation and an original persistent access method. They also rotate targets intelligently and change methods often to avoid detection.

These “evasive techniques developed at a breakneck pace” signal to investigators that the organization will not stop adapting to external threats. “They’ve brought a lot of techniques that we usually see associated with a state-sponsored attacker into the financial attacker realm,” says Barry Vengerik, a threat analyst at FireEye who coauthored the latest report. “They’re applying a level of sophistication that we’re not used to really seeing from financially motivated actors.”

The organization has continued to operate after the three were taken into custody, and certain key details remain somewhat ambiguous – the exact number of hackers who compose the group, for example. But the arrests are important small gains in a high stakes cat-and-mouse battle between hackers and law enforcement. Officials are pleased with any signs of progress against such a sophisticated operation, and information gathered in the investigation can help prevent future attacks in different sectors.