Can software vendors block a notorious criminal group’s attacks? MITRE wants to find out

First Cozy Bear, now FIN7.

The Eastern European hacking group FIN7 has stolen an estimated $1 billion in recent years by sweeping up payment card data processed by hotels and other organizations.

The fortune amassed by FIN7, despite the arrest of some of its senior members, has made it one of the most potent criminal threats to organizations around the world. Changes the group has made to its hacking tools in recent months have meant more breaches, and likely more money, for FIN7.

Now, a U.S. government-funded organization is trying to put a dent in FIN7 hacks by evaluating the group’s attack techniques against widely used cybersecurity software. Vendors will be assessed on their ability to block FIN7-like intrusions and, with the results made public next year, hopefully improve their products.

While FIN7 is the subject of the evaluation, the attack techniques tested will “be applicable across a broad spectrum of adversaries,” said Frank Duff, MITRE’s lead for evaluations that use the organization’s ATT&CK framework.


MITRE has previously done evaluations for techniques used by hacking groups linked with the Chinese and Russian governments, including the Russian group best known for hacking the Democratic National Committee in 2016. Big software security vendors like CrowdStrike, FireEye, and Microsoft have participated in previous evaluations.

MITRE’s non-profit technology foundation, Engenuity, will conduct this latest evaluation.

Jeremy Kennelly, part of a research team at FireEye focused on financially-motivated hackers, said the MITRE evaluation could help measure defenses against FIN7, which for periods of time uses the same malware families in their attacks.

But Kennelly also sounded a note of caution.

“Network defenders should still not allow these types of validation efforts to lull them into a false sense of security,” Kennelly, who does not work on FireEye products tested by MITRE, told CyberScoop in an email.


Successful criminal hacking groups like FIN7 have enough resources and guile to adapt their hacking tools to meet their objectives, he said, “regardless of the technology defenses employed by the organizations they target.”

U.S. law enforcement officials notched a significant win against FIN7 in September when an alleged FIN7 systems administrator pleaded guilty to wire fraud and conspiracy to commit computer hacking.

But the group has been undeterred, launching successful attacks last year.

The U.S. hospitality industry has been the prime target of recent FIN7 operations, with the group using social engineering to try to hack organizations through their customer service representatives, Kennelly said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts