The unnamed companies received a series of fake letters via the US Postal Service and UPS from August to November impersonating the Department of Health and Human Services in some cases, and Amazon in others, according to the FBI.
It’s unclear if any of the firms were compromised in the incidents, but it’s a reminder of the long reach and clever tactics of a cybercriminal group that US law enforcement have pursued for years.
The FBI pinned the incidents on FIN7, an Eastern European cybercrime operation that US prosecutors have blamed for billions of dollars in losses to consumers and businesses in the US and abroad. The Justice Department has accused FIN7 of stealing millions of credit card numbers from restaurant and hospitality chains in 47 states, and FBI agents have pursued FIN7 operatives for years.
However, the group can be difficult to pin down, has evolved significantly in recent years and has lost some of its members to law enforcement busts. US cybersecurity firm Mandiant, which also analyzed some of the malicious code sent via the USB sticks, said it had “low confidence” that the activity was “attributable to FIN7-affiliated actor.” CNN could not independently attribute the activity described by the FBI to FIN7.
The FBI, which regularly sends such cyberthreat alerts to US businesses, did not respond to a request for comment on the advisory.
As one of the world’s most successful and organized cybercrime groups, FIN7 epitomizes the challenge that law enforcement officials have in curtailing the lucrative digital fraud industry.
The group has operated a front company, which purported to offer cybersecurity services, to recruit talent from Eastern Europe, according to cybersecurity researchers and the Justice Department. FIN7’s operatives are meticulous and are known to call victims to ensure they have clicked on phishing links sent by the hackers.
And the group lives on despite the arrest and prosecution of some of its members.
The Justice Department in August 2018 announced the arrest of three Ukrainian men and accused them of being “high-profile” members of FIN7. A US judge in April 2021 sentenced one of those men to 10 years in prison.
Mailed USB sticks are not a new tactic for FIN7. The group, or someone operating on its behalf, mailed an organization in the US hospitality sector a USB device and a purported Best Buy gift card in February 2020, prompting the FBI to investigate.
The hackers’ use of a non-digital medium like snail mail could offer the FBI clues it doesn’t normally get in a cyber investigation. The FBI is asking all organizations that receive a package from the hacking group to “handle it with care to preserve DNA and fingerprints that may be obtainable from the package,” the bureau’s advisory to US businesses says.