Cybercrime gang sets up fake company to hire security experts to aid in ransomware attacks
A cybercrime group known as FIN7 has created a fake security firm earlier this year, used it to hire security researchers, and then trick them into participating in ransomware attacks.
Named Bastion Secure, the company claims to provide penetration testing services for private companies and public sector organizations across the world.
But according to an investigation by Gemini Advisory, a division of Recorded Future, the company is a front for the FIN7 group, which used the Bastion Secure website as a front to post ads on Russian job portals seeking to hire cybersecurity experts for various positions [1, 2, 3, 4, 5, 6, 7].
Ads on its website [archived] show that FIN7 recruited reverse engineers, system administrators, C++, Python, and PHP programmers.
Those who applied went through a three-phase interviewing process; the Gemini Advisory team said today after one of its partners went through the process in order to study the shady company.
The first phase included a basic interview process with an HR representative, typically carried out via Telegram. After a successful interview, the job applicants were told to sign a contract with a non-disclosure agreement and configure their computer by installing several virtual machines and opening certain ports.
Applicants received legitimate penetration testing security tools from the company to conduct a series of test assignments.
Applicants were brought in to participate in a "real" assignment where they were told to conduct a penetration test against one of Bastion Secure's customers.
Gemini Advisory said that this last step in the interviewing process did not include any form of legal documents authorizing the penetration tests, as it's customary in such cases, or explanation to participants.
Furthermore, Bastion Secure representatives also told applicants to use only specific tools that would not be detected by security software and to specifically look for backups and file storage systems once inside a company's network.
FIN7 group identified as operators of the Darkside RaaS
Tools shared by Bastion Secure with the Gemini partner who participated in the interviewing process were linked to malware strains like Carbanak and Lizar/Tirion, tools that have been historically part of FIN7's arsenal.
In addition, Gemini Advisory said that tasks and operations assigned to applicants "matched the steps taken to prepare a ransomware attack."
The attacks installed ransomware such as Ryuk or REvil, two ransomware strains that have been tied in recent years to FIN7 attacks, according to Gemini Advisory.
Newer attacks would have deployed the DarkSide and BlackMatter ransomware, according to security researchers from Microsoft, who have also been tracking the fake FIN7 security company.
In a talk at the Mandiant Cyber Defense Summit, Microsoft's Nick Carr and Christopher Glyer said that FIN7 didn't just deploy the Darkside ransomware (and its later BlackMatter rebrand) in attacks, but that FIN7 also managed the Darkside RaaS (Ransomware-as-a-Service) itself.
FIN7 previously operated Combi Secure
But the tactic of operating a fake security firm isn't particularly new for the FIN7 group, which also did the same thing back in the mid-2010s when they operated another fake security firm called Combi Security.
At the time, FIN7 was primarily engaged in deploying Point-of-Sale malware, and they used Combi Security to recruit penetration testers to breach retail company networks and then deploy said-PoS malware to collect payment card details from the hacked networks, according to an indictment by the US Department of Justice.
Hiring pen-testers is cheaper
As for the reasons why a criminal group like FIN7 would go to such great lengths to operate a fake security company not only once but twice, the answer is simple and has to do with operational costs and money, according to Gemini Advisory.
The reality is that it is cheaper to hire a security researcher than for FIN7 to work with other hacking groups or hackers recruited via underground forums.
A security researcher in Russia typically makes between $800 and $1,200 a month, according to Gemini Advisory, while criminal hackers would most likely want a percentage cut of the ransomware payment, which in some cases can easily reach millions of US dollars, Gemini Advisory said today.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.