False flag extortionists targeting North American mining firms, casinos

False flag extortionists targeting North American mining firms, casinos
© Getty Images

Researchers at FireEye have identified an extortion group targeting North American casinos and mining operations that steals files and charges between $120,000 and $620,000 to return them. 

The group targets Canadian firms and appears to have been active since 2013. In a new report released Friday, FireEye dubbed the group "Fin10."

"They are probably the most disruptive financial threat we've seen in Canada," said Charles Carmakal, vice president at FireEye's Mandiant consulting division.

Fin10 appears to use free software tools to steal data after a breach.

It posts sample files to copy and paste text sharing sites to prove it has documents, and sends ransom notes to multiple company officials calling for between $120,000 and $620,000 in bitcoin to prevent broad leaks. Fin10 also has also taken disruptive action on networks to demonstrate its presence. 

This is an unusual spin on random campaign, says Carmakal, because usually similar efforts are conducted via ransomware sent to as many entities as possible. Fin10 is able to charge exponentially more money than the few hundred dollar bounties charged in ransomware attacks because they are attacking vetted large value targets.

Though FireEye has not been able to determine how Fin10 infiltrates systems in all cases, they have discovered phishing attacks in two of the cases they have investigated. According to a report released Friday, FireEye believes this likely has been the method of attack in all cases. 

The ransom notes sent to officials identify the attackers as politically motivated groups, although the FireEye report casts doubt on those claims.

In one case, it claimed to be the "Angels_Of_Truth," a Russian group protesting Canadian sanctions. However, the Russian language used appeared to be taken from an online translating programming. In the majority of instances, the group claimed to be the Serbian hacking collective “Tesla Team," a group that once targeted political actors and never demanded money in the past. Both appear to be "false flag" attempts to gain credibility or throw off investigators. 

The multiple attacks are linked together through the same attack infrastructure, similar techniques and action patterns and consistent tools. 

Many experts believe it is risky to pay ransoms because there is no guarantee criminals will abide by their end of the bargain. FireEye said that it is ultimately a value decision for the victim, and can sometimes be useful in buying time to mitigate an ongoing attack. FireEye does not, however, advise that Fin10 or other extortionists be given complete trust.  

"In some cases, the attackers came back and asked for more money," said Charles Prevost, senior manager of Mandiant, "and some people paid the ransom without getting what the attackers promised.