Canadian casinos and mining organizations were the primary targets of financially motivated intrusion operations carried out by a hacking group called FIN10, according to cybersecurity and malware protection company FireEye.
The FireEye "FIN10: Anatomy of a Cyber Extortion Operation" report indicated FIN10's primary goal was to steal business data, correspondence, files, records and customer personally identifiable information (PII).
In addition, the report showed FIN10 requested ransoms of 100 to 500 bitcoins, valued at between $125,000 and $620,000 as of mid-April 2017, FireEye said in a prepared statement.
FIN10: Here's What You Need to Know
FIN10 consists of cyberattackers who have compromised organizations' networks and tried to monetize this illegal access by exfiltrating sensitive data and extorting victim organizations, FireEye alleged.
The hacking group uses publicly available software, scripts and techniques to control victims' networks, FireEye stated, and posts proof of stolen data on publicly accessible websites.
If a victim organization refuses to pay FIN10's ransom, the hacking group will release the stolen data to disrupt or destroy the victim's information assets and systems, FireEye said.
In 2013, FIN10 initially launched ransomware attacks against casinos and mining organizations in North America, with a primary focus on Canada, according to FireEye. These attacks have continued until at least 2016, FireEye pointed out.
A Closer Look at the FIN10 Lifecycle Model
FireEye indicated the lifecycle of a FIN10 cyberattack includes the following stages:
- Initial compromise of network.
- Establish foothold of network.
- Perform internal reconnaissance.
- Complete mission.
FIN10's operational success makes it "highly probable" that the hacking group will continue to conduct extortion-based campaigns, FireEye noted.
Moreover, FIN10 may look beyond casinos and mining organizations, according to FireEye.
"While FIN10 has seemingly only targeted organizations within two industry verticals, it is possible the group has previously or will in the future expand their regional and industry-specific targeting," FireEye wrote in its report. "Historically, we have seen this type of threat activity — cyberattacks resulting in the theft or compromise of sensitive data to be leveraged in extortion plots — affect multiple targeted verticals."
10 Incident Response Engagement Tips
FireEye offered 10 incident response engagement tips to help organizations deal with cyberattacks conducted by FIN10 and other hacking groups:
- Confirm that a data breach has occurred before you consider paying a ransom.
- Consider how a cyberattacker will react to your organization's action or inaction.
- Validate the scope and severity of a data breach as quickly as possible and beware fatigue and burnout.
- Understand whether tasks can help you mitigate, detect, respond to or contain a cyberattack.
- Consider getting legal authorities involved in all communications with cyberattackers.
- Get forensic, legal and public relations support.
- Brainstorm potential data breach risks and solutions.
- Maintain strong segmentation and controls over your backup environment.
- Implement both tactical and strategic actions after a breach to prevent future cyberattackers from gaining access to sensitive information and systems.
- Perform penetration testing to validate security controls and address vulnerabilities.
Responding to a hacking group like FIN10 can be difficult, FireEye pointed out.
However, with the aforementioned incident response engagement tips, organizations may be better equipped than ever before to limit the impact of cyberattacks, according to FireEye.