New research from Mandiant reveals that the financially motivated hacking group FIN7 has evolved its operations and is increasingly focusing on ransomware attacks believed to include MAZE, RYUK, DARKSIDE and ALPHV ransomware.
Mandiant has now been able to link previous activities by other threat clusters to FIN7. These show that FIN7 has evolved to increase the speed of its operations, broaden the scope of its targets, and possibly even expand its relationships with other ransomware operations in the cybercriminal underground.
The most important findings on FIN7
- Since 2020, a total of eight client groups previously classified as independent have been merged into FIN7
This confirms the resilience of the actors associated with the hacking group. Mandiant has seen an increase in FIN2021 activity across five attack waves since April 7. - FIN7 compromised a supply chain for the first time
The group compromised a website that sells digital products. She modified several download links to point to an Amazon S3 bucket hosting trojanized versions containing an Atera agent installer. With this, a new backdoor called POWERPLANT could be set up. - POWERPLANT offers extensive possibilities due to its framework
FIN7 used POWERPLANT in all observed attacks in 2021. The research leads Mandiant to assess that FIN7 is likely the only actor using POWERPLANT. - PowerShell is FIN7's favorite language
FIN7 developed the malware for their attack campaigns in many different programming languages. However, there is a particular preference for exclusive PowerShell-based loaders and unique PowerShell commands.
About Mandiant Mandiant is a recognized leader in dynamic cyber defense, threat intelligence and incident response. With decades of experience on the cyber frontline, Mandiant helps organizations confidently and proactively defend against cyber threats and respond to attacks. Mandiant is now part of Google Cloud.