FIN7, a financially motivated Russian hacking group, has set up a fake company to lure unwitting IT specialists into supporting its continued expansion into ransomware, security researchers have found.
According to researchers at Recorded Future’s Gemini Advisory unit, FIN7 — known for hacking into point-of-sale registers and stealing over $1 billion from millions of credit cards — is now operating under the guise of Bastion Secure, which claims to offer specialized public sector cybersecurity services.
Bastion Secure’s website looks like the real deal. But the research found FIN7 is using real, publicly available information from existing, legitimate cybersecurity companies — phone numbers, office locations and text pulled from real websites — to create a veil of legitimacy. Bastion’s website claims it won “Best Managed Security Service” at the SC Magazine awards in 2016, and that the fake company’s consultancy arm was acquired by Six Degrees in 2016. Neither are true.
Recorded Future’s analysis of the fake company’s website found it is largely copied from the website of Convergent Network Solutions, a legitimate cybersecurity company. The researchers said the site is hosted on the Russian domain registrar Beget, which cybercriminals often use, and some of the submenus of the fake company’s website return a Russian-language “page not found” error, which the researchers said could indicate that the site creators were Russian speakers.
At the time of writing, both Chrome and Safari have blocked access to the “deceptive” site.
Much like the website, Bastion Secure’s advertised vacancies look legitimate enough, too. The fictitious company is looking for programmers, system administrators and reverse-engineers, and the job descriptions are similar to those you’d find at any cybersecurity company.
But Recorded Future said that FIN7 — under the guise of Bastion Secure — is looking to build a “staff” capable of conducting the tasks necessary for undertaking a range of cybercriminal activity.
“Given FIN7’s increased interest in ransomware, Bastion Secure is likely specifically looking for system administrators because an individual with this skill set would be able to,” the researchers found.
The interview process also rang alarm bells for the researchers. While the first and second stages gave no indication that Bastion Secure is concealing a cybercriminal operation, the third — in which prospective employees were tasked with a “real” assignment — gave it away.
“It became immediately clear that the company was involved in criminal activity,” the researchers said. “The fact that the Bastion Secure representatives were particularly interested in file systems and backups signals that FIN7 was more interested in conducting ransomware attacks than [point of sale] infections.”
One of the Recorded Future researchers who was offered a position as IT researcher at Bastion Secure analyzed the tools that were provided by the company and found the tools are components of the post-exploitation toolkits Carbanak and Tirion (Lizar). Both toolkits have been previously attributed to FIN7 and can be used for hacking both point-of-sale systems and deploying ransomware.
“FIN7’s decision to use a fake cybersecurity company to recruit IT specialists for its criminal activity is driven by FIN7’s desire for comparatively cheap, skilled labor,” Recorded Future said. “Bastion Secure’s job offers for IT specialist positions ranged between $800 and $1,200 USD a month, which is a viable starting salary for this type of position in post-Soviet states… In effect, FIN7’s fake company scheme enables the operators of FIN7 to obtain the talent that the group needs to carry out its criminal activities, while simultaneously retaining a larger share of the profits.”
It’s not the first time FIN7 has masqueraded as a legitimate firm, previously posing as “Combi Security,” before unwanted public attention prompted the group to shut down the fake company.
Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch that FIN7’s decision to masquerade as Bastion Secure is likely also an attempt to avoid unwanted attention from law enforcement.
“It’s not at all surprising that a cybercrime operation would attempt to recruit via a fake company. Hiring from the dark web is problematic and risky,” he said. “Ransomware gangs are less welcome on certain cybercrime forums than they once were, and applicants could potentially be law enforcement officers working undercover. Using standard job ads addresses both problems, while the fake company may also serve other purposes — money laundering, for example.”
“And employees could certainly be misled as to the nature of their work — for example, they may not realize that companies are unwilling recipients of their pen-testing,” said Callow.