Hacking group tied to Colonial Pipeline attack continuing to recruit tech talent

A hacking group linked to the ransomware attack on Colonial Pipeline earlier this year is posing as a fake company to recruit individuals to help carry out further attacks, according to a report published Thursday.  

According to a report from cybersecurity group Recorded Future’s Gemini Advisory, prolific cybercriminal group FIN7 is running a fake company known as “Bastion Secure” aimed at recruiting more talent to carry out ransomware attacks. 

The Wall Street Journal first reported the findings Thursday, citing both the report from Recorded Future and a presentation given by Microsoft officials at a conference earlier this month. The FIN7 group allegedly wrote the software used to carry out an attack on Colonial Pipeline in May, causing temporary gas shortages in multiple states.  

The findings came after an employee for Gemini Advisory was contacted and offered a job as an IT specialist for the Bastion Secure group, and was given tools to work with during the interview process that are commonly used to carry out ransomware attacks. 

Bastion Secure reportedly employed a legitimate website to masquerade as a real company, but Gemini analysts determined it was a copy of a real cybersecurity group’s website that was hosted by a Russian domain registrar. Based on language used on the website, the analysts determined those behind it were likely Russian speakers. 

“To recruit IT specialists, Bastion Secure posts legitimate-appearing job offers on both their website and prominent job search sites in post-Soviet states, as well as providing reputable-looking contacts to potential hires for additional credibility,” the report reads. 

IT specialists were offered between $800 and $1,200 a month to take on the role, an amount that Gemini analysts noted was a “viable starting salary” in many Eastern European states, with the fake company intentionally not making clear to those recruited that they were helping to carry out lucrative ransomware attacks.

FIN7 is a prolific cybercriminal group that the Justice Department earlier this year said stole more than 20 million customer credit card records in the U.S. since 2015, leading to up to $1 billion in victim losses. FIN7 has been linked to attacks on companies including Chipotle Mexican Grill, Chili’s and Arby’s, and the group has also gone after organizations in the United Kingdom, Australia and France. 

Ukrainian national Andrii Kolpakov was sentenced in June to seven years in prison and fined $2.5 million for serving as a high-level hacker for the FIN7 group. The sentencing came three years after Kolpakov and two other Ukrainian nationals were indicted for allegedly successfully compromising more than 3,600 businesses through a hacking campaign.

Russia-based cyber criminal groups have been in the spotlight in recent months, with separate groups linked to ransomware attacks on meat producer JBS USA and IT company Kaseya, which compromised up to 1,500 other groups. President Biden urged Russian President Vladimir Putin to crackdown on these hacking units living within Russia’s borders during their in-person meeting in June. 

The report from Recorded Future’s Gemini Advisory underscored the increasing threat posed by operations like FIN7 operating unchecked. 

“Although cybercriminals looking for unwitting accomplices on legitimate job sites is nothing new, the sheer scale and blatancy with which FIN7 operates continue to surpass the behavior shown by other cybercriminal group,” the report reads.