While a number of U.S. casinos have reported payment card breaches over the past four years, a new report from Mandiant indicates that some casinos in Canada appear to have been under attack from hackers who, after acquiring customer and corporate data, attempt to extort the casinos. Whether all of the Canadian casinos that have disclosed hacks have also received extortion demands is not clear, but over the past few years, this site has reported hacks involving Casino Rama, Grey Eagle, Cowboys Casino, and River Cree. Not one of them has publicly stated that they received an extortion demand, and Mandiant is not revealing nor confirming the identity of any victims.
In addition to casinos, some Canadian mining companies have also been hacked and may also have received extortion demands. Although DataBreaches.net cannot be sure in all instances, this site has reported on hacks of Detour Gold, and GoldCorp that fit the pattern seen with the casinos. In GoldCorp’s case, the firm publicly acknowledged the hack and informed media that there had been an extortion demand.
In at least one of the mining hacks and at least one of the casino hacks, DataBreaches.net was contacted via email by people to alert this site to the breach and pastes on sites such as Pastebin and JustPaste.it. In a short email interview, the hacker claimed that the motivation for the hack of the mining company was political and retaliatory, but as Mandiant’s report notes, the Russian-English in the paste was not particularly convincing, and their responses to me – just sending links to some news stories, did not seem particulary compelling.
In a new report released today, Mandiant calls the threat actors “FIN10,” and notes that their activities are not confined just to Canada. Of note, their report states:
Fireeye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10.
OK, “FIN10” doesn’t have a particularly sexy sound to it, and these threat actors do not seem to have settled upon one name that they are using/advertising as their “brand,” sometimes calling themselves “Angels_of_Truth” and at other times, “Tesla Team,” but their potential to do damage appears severe. The report outlines what appears to be their tactics, techniques and procedures.
And like TheDarkOverlord, FIN10 uses the media and blogs like DataBreaches.net to increase public pressure on their victims, although they are more reticent in their use of media and response to media inquiries. As but one difference, TheDarkOverlord is very public about demanding extortion from named victims. I have yet to see FIN10 issue any public statement where they specifically acknowledged demanding extortion.
FIN10 also allegedly gives their victims a much shorter deadline to comply with the extortion demands: 10 days until the first data dump, and then a second data dump after another 72 hours.
Their attacks are a good reminder why corporations should either already have bitcoin on hand or at least know how to acquire it if they decide they need to pay an extortion demand at some point.
You can read Mandiant’s full report on FIN10: Anatomy of a Cyber Extortion Operation.