The unnamed companies received a number of fake letters through the U.S. Postal Service and UPS from August through November, impersonating the Department of Health in some cases and Amazon in others, the FBI said.
It’s unclear whether any of the companies were compromised in the incidents, but it is a reminder of the reach and clever tactics of a group of cybercriminals that US law enforcement agencies have pursued for years.
The FBI has pinned the incidents on FIN7, an Eastern European cybercrime that US prosecutors have blamed for billions in lost consumers and businesses in the US and abroad. The Justice Department has accused FIN7 of stealing millions of credit card numbers from restaurant and hotel chains in 47 states, and FBI agents have been tracking FIN7 agents for years.
The group is elusive, however, has come a long way in recent years, and has lost some of its members to law enforcement bankruptcy. US cybersecurity firm Mandiant, which also analyzed some of the malicious code sent on the USB sticks, said it had “little confidence” that the activity “could be attributed to an actor affiliated with FIN7”. CNN was unable to independently trace the activity described by the FBI back to FIN7.
The FBI, which regularly sends such cyber threat alerts to US companies, did not respond to a request for comment on the opinion.
As one of the world’s most successful and organized cybercrime groups, FIN7 embodies the challenge law enforcement agencies face to contain the lucrative digital fraud industry.
According to cybersecurity researchers and the Justice Department, the group ran a bogus company pretending to provide cybersecurity services to recruit talent from Eastern Europe. FIN7’s staff are meticulous and known for calling victims to make sure they clicked on phishing links sent by the hackers.
And the group lives on despite the arrest and persecution of some of its members.
The Ministry of Justice announced the arrest of three Ukrainian men in August 2018, accusing them of being “high-level” members of FIN7. A US judge sentenced one of these men to 10 years in prison in April 2021.
Sent USB sticks are not a new tactic for FIN7. The group, or someone working on their behalf, mailed a USB device and an alleged Best Buy gift card to a U.S. hospitality organization in February 2020, prompting the FBI to investigate.
Hackers’ use of a non-digital medium such as mail could provide the FBI with clues that it would normally not get in a cyber investigation. The FBI calls on all organizations that receive a package from the hacking group to “handle it carefully in order to preserve DNA and fingerprints that could have come from the package,” according to the recommendation of the bureau for US companies.