FIN7 (Carbanak / Sangria Tempest)

# FIN7 (Carbanak / Sangria Tempest)

Definition

FIN7 is the most financially successful criminal hacking group ever tracked by law enforcement and the security research community. Since their emergence in 2013, they have stolen more than $1 billion from banking institutions alone through the Carbanak malware campaigns, compromised payment card data from tens of millions of consumers through point-of-sale attacks against restaurant chains and retailers, and transitioned to ransomware affiliation that multiplied their financial impact further. Their total estimated criminal proceeds across all operations exceed several billion dollars.

The group carries multiple designations. FIN7 is the Mandiant designation and the most widely used in industry. Carbanak refers specifically to the banking malware they developed and deployed, and some vendors use it as an actor name as well. IBM tracks them as ITG14. Microsoft's current naming convention calls them Sangria Tempest. The partial overlap with FIN11 and TA505 reflects genuine ambiguity in the research community about whether FIN7, FIN11, and elements of TA505 represent distinct groups or operational subunits of a broader criminal organization. For this article, FIN7 refers to the core group associated with the Carbanak banking campaigns and subsequent point-of-sale operations.

What distinguishes FIN7 from most financially motivated criminal groups is operational patience and target research depth that would be exceptional even among nation-state espionage groups. FIN7 does not spray phishing emails. They identify specific individuals at specific organizations, research their job functions, create highly contextual pretexts, and deliver malware through documents that precisely match the recipient's professional context. A restaurant manager receiving a message that appears to come from a regional health inspector, containing a menu compliance review document, is far more likely to open the attachment than one receiving generic credential-harvesting email.

The fake cybersecurity company operations, in which FIN7 created functioning front companies with websites, job listings, HR processes, and work assignments to recruit unwitting penetration testers who conducted actual intrusions while believing they were doing legitimate contracted security work, represent a level of social engineering sophistication with few documented parallels anywhere in the history of cybercrime or espionage.

Attribution and Background

FIN7's confirmed leadership is Ukrainian and Russian-speaking, based on prosecutorial evidence from three US Department of Justice cases. The group's financial success and the operational sophistication of their false-front company recruitment model suggest an organization with significant operational security discipline and experienced criminal management.

The three highest-profile prosecutions each produced guilty pleas and convictions. Fedir Hladyr, a Ukrainian national identified as a high-level manager and systems administrator within FIN7, was arrested in Germany in January 2018 and sentenced in 2021 to ten years in US federal prison. Andrii Kolpakov, also Ukrainian, was identified as a pen test supervisor and sentenced in 2021 to seven years. Dmytro Fedorov, identified as a high-level hacker, was arrested in Poland in 2018 and faced separate proceedings. Despite these prosecutions, FIN7 continued operating under new or surviving leadership, demonstrating the degree to which criminal organizations with distributed structures and financial reserves can absorb law enforcement disruption.

The DOJ prosecution documents provide the most complete organizational picture available. FIN7 operated with a defined hierarchy: technical developers, pen test supervisors who assigned intrusion work to lower-level operators, financial processors who handled the proceeds, and management who identified targets and coordinated operations. The Combi Security and Bastion Secure front companies had functioning management structures, onboarding processes for new recruits, and multi-week work cycles that produced actual intrusion results before new hires understood the nature of their employment.

The transition toward ransomware affiliation is well-documented. Beginning around 2020, FIN7 members or former members began providing initial access brokerage services to major ransomware operations including REvil, DarkSide, BlackMatter, and ALPHV (also known as BlackCat). The financial logic is straightforward: FIN7's expertise in gaining initial access to target networks has higher ROI when sold to ransomware operators who can encrypt and extort the entire organization than when applied to point-of-sale card data theft, which requires additional monetization steps.

Why It Matters

FIN7 matters to defenders across industries far beyond banking and hospitality because their evolution tracks the broader evolution of financially motivated cybercrime from specialized card theft operations to general-purpose network intrusion capabilities available to ransomware operators.

The Carbanak banking campaigns demonstrated that patience, operational research, and long dwell times were not exclusive to nation-state espionage. A criminal organization motivated entirely by financial return could sustain access inside major financial institutions for months, learn their internal transfer processes, and extract funds through methods that mimicked legitimate institutional transactions. The $1 billion in banking losses between 2013 and 2018 came from more than 100 banks in 40 countries, with individual thefts ranging from tens of millions of dollars. The scale required either exceptional operational security or significant insider knowledge of how modern banking fraud detection works. FIN7 had both.

The point-of-sale campaigns against restaurant and retail chains illustrated the value of targeting the physical payments ecosystem. Chipotle Mexican Grill disclosed in 2017 that FIN7 had compromised point-of-sale systems at the majority of their approximately 2,250 US locations between March and April of that year, capturing payment card data from every transaction processed at affected terminals. Arby's disclosed a compromise affecting more than 355,000 payment card records. Red Robin, Sonic Drive-In, Jason's Deli, Omni Hotels, and the parent company of Saks Fifth Avenue and Lord & Taylor reported similar breaches. The common vector in almost every case was a spear-phishing email sent to restaurant or hotel management staff, containing a malicious attachment formatted as a menu review document, HR materials, or a vendor invoice.

The fake company recruitment model deserves specific emphasis for the security community because it has direct implications for security professionals. FIN7 created Combi Security, later Bastion Secure, with a professionally designed website, a stated mission of providing penetration testing services to security firms, and a recruitment process that identified cybersecurity job seekers through legitimate employment channels. Hired individuals were given "clients" (actual victim organizations), scoped work assignments, and tools. They believed they were conducting contracted penetration tests. The tools they were given were FIN7's actual intrusion toolkit. The networks they tested were actual victim environments. Some of the recruited individuals were themselves security professionals who had unknowingly applied for and accepted work at a criminal enterprise. This recruitment model allowed FIN7 to scale operations by onboarding technical labor without revealing the criminal nature of the work.

TTPs and Technical Details

FIN7's technical tradecraft reflects sustained investment in evasion of enterprise security controls over more than a decade of operations.

T1566.001: Spear Phishing Attachment. Initial access is almost exclusively through highly targeted spear phishing. The group researches individual targets, identifies contextually plausible pretexts, and delivers malicious documents through email. The documents have included malicious macros, embedded PowerShell, malicious LNK shortcut files packaged in archives, and DOCX files that load remote templates containing the actual payload. The evolution of delivery mechanisms reflects ongoing adaptation to Microsoft's incremental hardening of Office document execution.

T1059.001: PowerShell. FIN7's post-exploitation activity relies heavily on PowerShell for reconnaissance, lateral movement, and payload staging. Their PowerShell usage is frequently obfuscated using character substitution, base64 encoding, and string concatenation techniques designed to evade script-block logging and AMSI inspection.

T1056.001: Keylogging. The Carbanak malware and FIN7's subsequent tooling include persistent keyloggers that capture credentials for banking applications, internal transfer systems, and administrator consoles. The keylogging is specifically tuned to capture banking operator credentials, which FIN7 used to initiate fraudulent transfers through SWIFT, internal banking applications, and ATM management systems.

T1185: Browser Session Hijacking. FIN7 captured authenticated browser sessions to banking applications, enabling fund transfers without requiring the user's credentials directly, bypassing MFA mechanisms that protect the authentication step but not the active session.

T1003: OS Credential Dumping. LSASS memory dumping and registry-based credential extraction provided credentials for lateral movement within banking and retail environments. FIN7 routinely moved from an initial compromise of a manager's workstation to domain administrator credentials through credential dumping and pass-the-hash techniques.

T1204.002: Malicious File Execution. Victim interaction with malicious documents is the foundational link in the FIN7 kill chain. Their pretext quality and document polish reflect sustained investment in social engineering research. Delivery documents have included realistic regional health department compliance forms, corporate HR templates, legal vendor agreements, and industry-specific forms matching the target's professional context.

Carbanak Malware Specifics. The Carbanak backdoor itself provides remote access, screenshot capture, video recording of the victim's screen, keylogging, file upload and download, and remote command execution. Carbanak's C2 communication uses HTTP/HTTPS to blend with normal web traffic. The malware was designed specifically to operate inside financial institution networks for extended periods, with persistence mechanisms that survived workstation reboots and some security tool updates.

ATM Jackpotting. In the banking campaigns, FIN7 used their access to ATM management networks to deploy malware on ATMs that dispensed cash on command. This technique, often called "jackpotting," required compromising both the bank's internal network and the ATM management system. Coordinated jackpotting operations extracted cash from multiple ATM locations simultaneously using money mule networks.

CDA Perspective: PDM and Theater Missions

FIN7 operations span four PDM domains, and the mapping reveals why a purely perimeter-focused defense fails against them.

DPS: Data Protection and Sovereignty (Primary Impact Domain). The data FIN7 targets, payment card numbers, banking credentials, and SWIFT transfer authorization materials, represents the geological core of financial organizations' critical assets. The Sovereign Data Protocol (SDP), "Your data lives where you decide. Period," requires that the most sensitive financial data be subject to access controls, encryption at rest, and egress monitoring that creates an audit trail around every access event. FIN7's Carbanak implant captured credentials and banking data that were not subject to these controls. DPS-S02 (sensitive data classification and access control) directly addresses the core vulnerability.

IAT: Identity Access and Trust. The credential theft that enables FIN7's lateral movement from a compromised manager workstation to bank transfer systems depends on the availability of reusable credentials in memory and on the absence of behavioral authentication controls. Zero Possession Architecture (ZPA) requires that privileged operations use ephemeral credentials, hardware tokens, and contextual authentication that cannot be replayed. An operator who authenticates to a SWIFT transfer system should face authentication requirements specific to that system, not inherited from a compromised domain session. IAT-T04 (privileged access management for financial systems) is the direct mission response.

TID: Threat Intelligence and Defense. FIN7 campaigns produce detectable signals at multiple stages of the kill chain. The spear-phishing delivery documents contain macro or LNK execution patterns. PowerShell execution with obfuscation triggers AMSI and script-block logging alerts when those capabilities are enabled and monitored. Lateral movement through credential dumping produces Sysmon and Windows event log artifacts. The Predictive Defense Intelligence (PDI) methodology requires that threat intelligence about FIN7's current delivery techniques inform proactive detection rule updates before a campaign targets your industry vertical. TID-R01 and TID-R02 are the baseline mission responses for actor profiling and TTP-based detection.

VSD: Vulnerability and Surface Defense. Point-of-sale systems represent a surface area that many organizations treat as out of scope for enterprise security programs, often because they are managed by third-party vendors or sit on operationally separate networks. FIN7's success against restaurant chains demonstrated that POS network segmentation from corporate networks is a required control, not an optional enhancement. The Continuous Surface Reduction (CSR) methodology requires that every connected system, including those managed by vendors, be within the organization's attack surface inventory. VSD-V03 (network segmentation validation for payment environments) addresses the structural vulnerability FIN7 exploited across dozens of restaurant and retail victims.

The fake company recruitment operation creates an additional challenge for the security community: not all FIN7 operators are aware they are working for a criminal organization. Security professionals who receive contact from organizations matching the Combi Security or Bastion Secure profile should verify the client engagement through independent channels before conducting any testing. Legitimate penetration testing engagements always include directly verifiable statements of work, legal agreements, and client contact information that can be verified through public records.

Sources

1. US Department of Justice: "Ukrainian National Pleads Guilty to Role as Manager for Notorious FIN7 Cybercrime Group," November 2019. justice.gov
2. US Department of Justice: "Second Member of FIN7 Cybercrime Gang Sentenced to Prison," August 2021. justice.gov
3. Mandiant: "FIN7 Evolution and the Phishing LNK," April 2017. mandiant.com
4. Mandiant: "Beyond the Bottom Line: The Real Cost of the Carbanak Group's Techniques," 2015. mandiant.com
5. Group-IB: "Big Game Hunting: The Evolution of INDRIK SPIDER from Dridex Wire Fraud to BitPaymer Targeted Ransomware," 2019. group-ib.com
6. Microsoft Security Intelligence: "Sangria Tempest (FIN7) actor profile and detection guidance," 2023. microsoft.com/security
7. MITRE ATT&CK: "FIN7 (G0046)." attack.mitre.org/groups/G0046
8. Chainalysis: "The 2022 Crypto Crime Report: Ransomware Revenue and Initial Access Brokers." chainalysis.com