JIRA Tickets, Jabber Servers and… Gmail Accounts? FBI Papers Reveal Cyber Criminals’ IT Infrastructure
Unsealed court documents reveal highly organised, WFH, crew
The FBI has arrested a hacker at the heart of one of the world’s most prolific hacking crews, Fin7, newly unsealed court documents show.
Ukrainian national Denys Iarmak, 31, whose resume included stints as a systems administrator, helped steal data including millions of credit card details from casinos, credit unions and Trump Hotels.
Fin7 has been active since at least September 2015 and typically made its initial intrusion via personalised phishing attacks.
The FBI said: “Based on initial estimates, this hacking scheme has stolen tens of millions of payment card numbers and has caused over $100 million in losses to US financial institutions and companies.”
Court documents first revealed by Vice’s Motherboard detail a highly organised crew, if one which made some serious (and welcome) operational security errors.
Fin7 used private JIRA servers to raise tickets on specific companies they were targeting. Its members also used a wide range of encrypted messengers run on private servers, including Jabber and the late HipChat. It also used the messenger services Mumble, Telegram, Threema and Viber.
The cyber crime organisation exploited a “wide variety” of digital currencies, including Binance, Electro, EXMO.com and Monero.
The FBI gained significant amounts of intelligence by cooperation with law enforcement in other countries, which allowed them to gain access to both a mobile phone and a laptop while members of the group that they were targeting were on holiday, the court documents reveal.
Fin7 Hackers: WFH Since 2015
“The hacking group does not have a central office or work location”, the court documents note. “Instead [it] uses a distributed work force that relies on a secure, virtual work environment.”
Many of the group’s members provided true names and addresses via encrypted Jabber communications to “certain high-level members of the group” in order to get paid for their work.
Iarmak, meanwhile, used a Gmail account for certain communications that contained emails featuring his passport and other ID documents. This also revealed communications with antivirus companies, that were later forward on to other members of the hacking group.
These revealed that Fin7 would regularly test their malware against offline versions of the AV software to see if it detected it.
Iarmak, who went by the handle GakTus, was extradited from Thailand.
The story was first reported by Motherboard’s Joseph Cox, after a tip-off from George Washington University’s Seamus Hughes.