FIN7, also known as Carbon Spider, Sangria Tempest (Microsoft), and the Carbanak Group, is a highly sophisticated Russian-linked cybercrime syndicate active since at least 2013. The group operates with a corporate-like hierarchy, including specialized roles and even bonuses for successful operatives. Despite arrests of key members in 2018 and 2020, FIN7 has demonstrated remarkable resilience and adaptability, remaining a persistent global threat.
FIN7 initially specialized in large-scale theft of payment card data, targeting restaurants, hospitality, gaming, and retail sectors. Their hallmark was the use of advanced spear-phishing campaigns—often accompanied by social engineering phone calls—to deliver custom malware via seemingly legitimate business communications. Once inside a network, FIN7 would move laterally, exfiltrate sensitive data, and maintain persistent access using a variety of tools, including the notorious Carbanak malware.
Key tactics include: (1) Sophisticated phishing and social engineering to gain initial access. (2) Use of custom malware and toolkits for lateral movement and data exfiltration. (3) Exploitation of remote services (e.g., RDP), infected USB devices, and software vulnerabilities. (4) Targeting of SEC filing personnel for potential insider trading opportunities