The information security industry has long operated with the premise of two, very different kinds of threats: indiscriminate, cyber criminal activity aimed at making money quick and sophisticated, targeted attacks intended to provide long term competitive advantage to another company (or economy), disrupt the operation of the target or provide a (future) strategic advantage in some kind of cyber conflict.
But new research from FireEye suggests that the lines between sophisticated and unsophisticated cyber operations are blurred, making it hard for organizations to know if a given infection is merely bad luck, or evidence of a larger and more dangerous operation.
Writing about a new financially motivated hacking crew called Fin6, FireEye said that the group, which targeted point-of-sale systems made off with “millions of payment card numbers.” Still, FireEye said that it couldn’t figure out how the group compromised its victims.
“In Mandiant’s investigations of FIN6, the group already possessed valid credentials to each victim network and used those credentials to initiate further intrusion activity,” the report notes.
FireEye’s iSight Partners group studied how the information from the cyber criminal underground facilitated the attack and how information stolen was monetized after the fact.
The group, which is one of many “FIN” groups identified by FireEye, relied on commodity malware known as GRABNEW to establish a beach head on victim networks, then moved laterally to compromise higher-value assets like point of sale systems.
“Network defenders might think that’s not a big deal, that they can clean the machine and move on,” said John Miller, the Director of ThreatScape Cyber Crime in FireEye’s Threat Intelligence Unit. But the GRABNEW infection in the hands of FIN6 was the “foundation for damaging crime activity that was extensive through the organization’s network, Miller said.
Cyber criminals’ focus on point of sale systema in recent years was a reaction to strengthening card and payment system security, he said. Similarly: the use of commodity malware is an example of how even sophisticated threat actors leverage a more or less permanent cyber criminal infrastructure including markets for stolen credentials, compromised machines, personal information and more.
Even targeted attacks aimed at long-lived compromises often start with the help of an established cyber criminal underground that provides easy access to stolen account credentials and commodity malicious tools that allow attackers to move within a compromised environment.
Like other sophisticated cyber criminal groups, FIN6 demonstrates “a high level of planning, organization, and task management in order to accomplish their goals,” FireEye said.
“The actors generally target a particular demographic or type of organization, and their goal is financial gain from the data they steal. The groups may profit through direct sale of stolen data (such as payment cards or personally identifiable information) (or) through unauthorized transfer of funds,” FireEye said.