‘Know your enemy,” is a military maxim that applies to cyber security. Attribution of an attack can help defenders protect the enterprise. But attackers in a newly-revealed group trying to extort Canadian and American casinos and mining companies after stealing corporate data are apparently hoping to capitalize on a common Western accusation: Blame the Russians.

In a report issued Friday researchers at FireEye say the attacker, which it dubs FIN10, called themselves online the “Angels_Of_Truth,” and claimed the attacks on the victim were getting back for Canada-imposed economic sanctions on Russia. “The quality of the Russian-language posts, however, was considerably poor and very similar to output obtained from online translating solutions, making it likely the attacker(s) are not native Russian speakers and were using this narrative to mislead attribution attempts.”

There’s also been use of a moniker associated with a Serbian hacktivist group dubbed “Tesla Team.” However, FireEye doubts FIN10 is related to it.

Regardless of who FIN10 is, FireEye says its primary goal  is to steal corporate business data, files, records, correspondence and customer personal information to extort organizations into paying for the non-release of the stolen data.

Requested sums ranged from 100 to 500 Bitcoins (roughly US$124,000 to $620,000 as of mid-April 2017). Interestingly, at least two victims were issued the same Bitcoin address.

“FIN10 likely uses a combination of copy tools and file transfer utilities to both harvest and stage sensitive data,” says the report. After the theft the group routinely uses openly-accessible websites such as “pastebin.com,” “justpaste.it,” and “thepiratebay.se.” to send links to portions of stolen data to prove authenticity. Sometimes popular cloud file sharing/ storage solutions, such as Dropbox, are also used to receive stolen data in extortion attempts.

To make sure word spreads widely about the hack FIN10 also sends multiple emails to staff and board members of the victim organizations notifying them of the breach and potential consequences for nonpayment, as well as placing word on open-source blogs, and sometimes to reporters, about breaches.

In some cases when the extortion demand was not met the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems.

FIN10 has been operating since 2013, says the report, primarily attacking Canadian-based companies.The report doesn’t identify victims.

In the majority of intrusions attributed to FIN10 there was insufficient evidence to determine the initial infection vector, says the report. However, in at least two intrusions spear phishing emails with malicious attachments were used.  In one of those, the phishing email pretended to be updated holiday schedule for the company’s staff. The embedded URL pointed to a malicious HTML Application (HTA) file. In another intrusion, the phishing email pretended to include an employee questionnaire. The embedded URL pointed to a Word Open XML Macro-Enabled Document file (DOCM) file.

Typical FIN10 attack sequence. Graphia from FireEye

As to FIN10’s techniques, it largely uses Metasploit Meterpreter as the primary method of establishing an initial foothold within victim environments. Meterpreter allows threat actors to write their own extensions in the form of DLL files that can be uploaded and injected post exploitation. Meterpreter and most of its extensions are executed in memory, so they largely evade detection by standard anti-virus. In one case the group also uses the Splinter Remote Access Trojan (SplinterRAT), an open-source red team collaboration framework.

In the majority of cases FireEye saw FIN10 leverage PowerShell Empire (a pen-testing tool that utilizes PowerShell) for elevated persistence, mainly by utilizing the Registry and Scheduled Task options. Windows Remote Desktop Protocol (RDP)  is often used to authenticate to internal systems that were configured to allow ingress RDP connections from systems residing outside organizational firewall perimeters. Functions within the PowerShell script Meterpreter backdoor have also been used for internal reconnaissance and move laterally throughout the environment.

The attackers routinely deploy destructive batch scripts intended to delete critical system files and shutdown network systems if ransoms aren’t paid.

While casinos and mining companies have been targets so far, FireEye says there is some evidence FIN10 is targeting more widely.

Among the lessons learned, FireEye notes that paying a ransom may be the right choice but there are no guarantees the attacker(s) won’t come back for more money or simply leak the data anyway. And while most organizations have mature backup policies it’s common for the systems containing backups to be part of the same environment compromised by the attacker. That’s why access to a backup environment has to be tighten to mitigate that risk.

Get the full report here. Registration required