How a single criminal hacking group held Canadian casinos and mining companies ransom - Action News
Home WebMail Tuesday, November 26, 2024, 07:54 PM | Calgary | -7.0°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Science

How a single criminal hacking group held Canadian casinos and mining companies ransom

They stole data, demanded payment in bitcoin, and disabled computer systems if the victims didn't pay up.

Newly identified group hijacked systems, demanded big ransoms for stolen data, report says

A FireEye information analyst works in front of a screen showing a near real-time map tracking cyber threats at the company office in Milpitas, Calif., in December 2014. (Beck Diefenbach/Reuters)

A "financially motivated" and digitally-savvy criminal hacking group has spent at least three years infiltrating computers at several unnamed Canadian mining companies and casinos, stealing sensitive dataand holding it for ransom.

The group, dubbed FIN10 by the cybersecurity company FireEye, began operating as early as 2013, continued until at least 2016, and has not been identified before, investigators said.

Charles Prevost, one of the investigators and a senior manager at FireEye's security consulting practice Mandiant, said they "have no idea why" FIN10 had seemingly chosen to target only Canadian mines and casinos. He could not attribute FIN10 to a particular country or location a notoriously difficult problem in cybersecurity investigations but noted that its members appeared to be native English speakers, despite attempts to appear otherwise.

According to FireEye's report, released today, the attacks targeted sensitive files such as corporate records, private communicationsand customer information. After stealingthe data from the victims' computers, the investigators say the hackersdemanded ransoms of between 100 and500 bitcoin about $35,000 to $170,000 Cdn.

A security expert says investigators have 'no idea' why a newly identified hacking group has gone after Canadian mining companies and casinos over the last three years holding stolen data for ransom and turning off essential systems of uncooperative victims. (Jean Luis Arce/Reuters)

The group then threatened to release some of the stolen data to the public if no payment was received within 10 days, and to release more data if there was still no payment three days later.

FIN10 also wreaked havoc on targets who did not meet their demands "by essentially shutting off production systems so that the mine or casino couldn't operate for a period of time," according to Charles Carmakal, another investigator and Mandiant vice president, resulting in "real" but unspecified revenue loss.

Common criminal playbook

The attacks follow a common playbook among criminals operating in the digital realm. In at least two cases, the hackersused carefully crafted emails, tailoring messages, linksand attachments to entice their targets to click a technique known as spearphishing, which was also used by Russian-backed hackers to break into the U.S. Democratic National Committee email in the summer of 2015.

In one case, the attackers hid their code in a malicious webpage claiming to be an updated holiday schedule for staff. In another, they disguised a malicious Microsoft Word document as an employee questionnaire.

However, unlike the Russian-backed groups that frequently dominate headlines, Prevost said FIN10's tools and techniques were "very far from the state-sponsored type of activity that we investigate" meaning the group used easily available "penetration testing tools" with names like Metasploit, PowerShell Empireand SplinterRAT.

Three Canadian casino operators suffered highly publicized data breaches last year one of which, Cowboys Casino, had stolen information published online just this past week. It is not known if the hacking group FIN10 was behind the breach. (Robert F. Bukaty/The Associated Press)

Thosetools allowed FIN10 to gain a foothold into its targets' networks, remove dataand run basic commands that deleted important operating system files effectively knocking out casino money handling computers, critical mining databasesand systems that were required to let employees log into their workstations.

The attackers "scheduled them just like a timebomb," Prevost said in one client's case, taking 60 critical systems offline overnight.

Who were the victims?

Carmakal saidFireEye's report involved "less than 10" companies, but would not specify how many. FireEye also declined to name any of the companies that were targeted, citing confidentiality agreements with the victims. But previous breaches offer some possible clues.

In the mining industry, both Goldcorp and Detour Gold Corporation have suffered data breaches in recent years, and seen gigabytes of personal information published online including employee's personal contact and financial information.

Among Canadian casinos, the River Cree Resort and Casino just outside of Edmonton, Alberta said in March 2016 that criminals had stolen customer and employee information from its systems. Then in June, Cowboy's Casino in Calgary was also breached, and similar information was stolen. And in November, the Casino Rama Resort in Rama, Ont. also admitted that it had been breached, saying that customer, employeeand vendor information had been stolen, too.

Earlier this week, some of the information from the Cowboy's Casino breach specifically, customer's personal information and information on gambling habits and payouts was posted online.

It's not clear if the casinos or mines mentioned in previous reports are also part of FireEye's report, and the company wouldn't say. It was reported by the Financial Times that FireEye was investigating the the River Cree Resort incident, but the company also would not confirm whether the incident was part of the company's report.

Corrections

  • A previous version of this story misstated the current value of bitcoin in Canadian dollars. The criminal group demanded ransoms of between 100 and 500 bitcoin about $350,000 to $1,700,000 Cdn today, and not $35,000 to $170,000 Cdn as initially reported.
    Jun 19, 2017 3:18 PM ET