Ransomware crew posed as real company to attract workers

A Russia-linked ransomware gang created a phony company to recruit technology workers, security researchers say.

The group — dubbed "FIN7" and thought to be connected to a May cyberattack that crippled one of the largest fuel pipelines in the U.S. — ran a website claiming to offer cybersecurity services under the name Bastion Secure, according to a new report by security firm Record Future.

The fake Bastion Secure operation is actually run by the criminal group that's believed to have developed the malicious software behind the Colonial Pipeline hack. Colonial initially paid a ransom worth $4.3 million in bitcoin to another Russia-based hacking group that had shut down its pipeline, although federal authorities later recovered at least $2.3 million.

"FIN7 is using the fictitious company Bastion Secure to recruit unwitting IT specialists into participating in ransomeware attacks," the researchers wrote. 

Hackers seeking "cheap, skilled" workers

FIN7's recruitment drive was driven by the group's "desire for comparatively cheap, skilled labor," the report states. Bastion offered new hires between $800 and $1,200 a month, a reasonable starting salary in some Eastern European states but a fraction of any profits the criminals might gain from cyberattacks, the researchers noted.

The fake company's website, which was first reported by the Wall Street Journal, mostly copied from the website of a legitimate firm and has since been blocked. 

In investigating Bastion Secure, a source with Recorded Future's Gemini Advisory service made contact with the company's "HR representative" on a job search site. After being hired, the source was given tasks that involved tools known to have been used in previous attacks by FIN7.

"FIN7's decision to hire unwitting accomplices, as opposed to finding willing accomplices on the dark web, is likely due to greed," the researchers stated. "However, FIN7's greed also afford Gemini a view into the proprietary tools of this prolific threat team, as well as the exposure of another fake FIN7 company."

FIN7 has previously used the tactic, according to federal prosecutors. The group in 2018 created a front company called Combi Security that purported to be a computer security pen-testing company based in Moscow and Haifa, Israel, to recruit a Ukrainian national as a systems administrator. In April, he was sentenced to 10 years in a federal prison for his role in the group's criminal activity. 

FIN7 first drew attention more than a decade ago for malware campaigns targeting point-of-sale systems used by major retailers, with one scheme succeeding in stealing data on more than 20 million payment cards. Companies that have publicly disclosed hacks tied to the group include Arby's, Chili's, Chipotle Mexican Grill, Jason's Deli and Red Robin, according to the Department of Justice. 

Three federal agencies on Monday issued an alert urging companies to protect themselves after ransomware attacks against "multiple U.S. critical infrastructure entities, including two U.S. food and agriculture sector organizations."

The number of ransomware attacks, in which cybercriminals secretly encrypt an organization's data and then demand payment to unscramble it, has surged in recent years. Hackers have targeted U.S. hospitals, universities, media companies, local governments and many other entities. The Biden administration in July pledged to disrupt ransomware gangs.

Ransomware payments reached more than $400 million globally in 2020 and topped $81 million in the first quarter of 2021, according to the U.S. government.