FIN7 Exposed: The Dark Secrets of an International Hacker Syndicate
Cybersecurity researchers have uncovered a new digital infrastructure linked to the financially motivated cybercriminal group known as FIN7. This discovery was made during a joint investigation conducted by Team Cymru, Silent Push, and Stark Industries Solutions.
Uncovering FIN7’s Infrastructure
The investigation identified two threat clusters pointing to FIN7 activity. The first cluster is associated with IP addresses belonging to Post Ltd, a company reportedly based in Russia. The second cluster includes IP addresses registered to SmartApe, an Estonian company. Both clusters show inbound connections to infrastructure believed to be used by the FIN7 group.
These findings build on a previous report by Silent Push, which identified several IP addresses used exclusively to host FIN7’s infrastructure. According to the latest data, hosts linked to this cybercriminal group were likely acquired through a reseller of Stark Industries.
How FIN7 Uses Hosting Resellers
Using reseller services is a common practice in the hosting industry. Major VPS providers often offer such services, and buyers who acquire infrastructure through resellers must comply with the main company’s terms of use.
Team Cymru experts also managed to identify additional IP addresses connected to FIN7 activity. Four of these belong to Post Ltd, and three to SmartApe. The first cluster showed active outbound connections to 15 hosts previously discovered by Silent Push. The Estonian cluster was observed connecting to 16 new hosts.
Overlapping Infrastructure and Response
Notably, 12 hosts linked to the Post Ltd cluster were also found in the SmartApe cluster. The services for these hosts were suspended after Stark Industries disclosed the information. Metadata analysis confirmed these connections, based on TCP flag assessments and data transfer volumes.
The Importance of International Cooperation
Effectively combating cybercrime requires close cooperation between experts and organizations across different countries. Data sharing and joint investigations enable faster identification of complex attack schemes and timely responses to new threats, despite cybercriminals’ attempts to hide their activities behind numerous IP addresses and intermediary companies.