Ransomware Gang Masquerades as a real company to recruit tech talent
A criminal organization suspected of building the software that shut down a U.S. fuel pipeline has set up a bogus company to recruit potential employees, according to researchers from intelligence firm Recorded Future and Microsoft. Corp.
The bogus company uses the name Bastion Secure, researchers say. On a professional-looking website, the company claims to sell cybersecurity services. But the operator of the site is a well-known hacking group called Fin7, according to Recorded Future and Microsoft.
Fin7 allegedly hacked hundreds of businesses, stole more than 20 million customer records and wrote the software used in a hack that disrupted gasoline delivery to parts of the Southeastern United States, federal prosecutors say and researchers.
The Bastion Secure website, which uses the BS logo, has listed tasks that are technical in nature and look like tasks that would be done in any security company: programmers, sysadmins, and people who are good at finding bugs in software. . Potential hires will work nine hours a day on a predictable schedule: Monday through Friday, according to the company’s website. Lunch breaks are planned, says the site.
The attempt to impersonate a legitimate business for the purpose of recruiting represents a further development by ransomware vendors to expand and spread a scourge that has disrupted meat production, hospital care, education and hundreds of businesses. With hundreds of millions of dollars in illegal revenue, ransomware operators are increasingly operating as criminal startups with professional support staff, software development, cloud services and media relations, according to security researchers.
SHARE YOUR THOUGHTS
How do you think cyber attacks will continue to change the national security landscape? Join the conversation below.
Recorded Future shared its findings with the Wall Street Journal and planned to publish them in a blog post on Thursday. Microsoft officials gave a presentation on their discovery earlier this month at a conference hosted by cybersecurity firm Mandiant.
Emails sent to an address listed on the Bastion Secure website went unanswered. A phone call to an Israeli number listed on the site was answered by a Russian-speaking man. âI am just one person. I have nothing to do with a cybersecurity company, âhe said before hanging up.
The recruitment effort appears to be focused on Russian speakers, the researchers said. While criminals have traditionally operated in the shadows – recruiting partners in criminal forums – the demands of Fin7’s growing business seem to have driven it to recruit in the open, according to security researchers.
âYou can find more qualified people when you do a broader search,â said Andrei Barysevich, director of Gemini Advisory, a division of Recorded Future. “There are a lot of law enforcement officers out there on the dark web.”
The information technology jobs advertised by Bastion Secure offer salaries between $ 800 and $ 1,200 per month. It’s a living wage in former Soviet countries like Ukraine, but “a small fraction of a cybercriminal’s share of the criminal profits from a successful ransomware extortion or credit card theft operation. large scale, âaccording to the Recorded Future report.
Fin7 has hacked into thousands of computer systems and for years focused on stealing and selling credit card information. The group of 70 people have caused more than $ 3 billion in damage to businesses and individuals, according to federal prosecutors.
The group recently went from stealing card information to ransomware, and it now runs a ransomware service and carries out intrusions to deploy file encryption software, Microsoft security analyst Nick Carr said at Microsoft. the Mandiant conference.
Microsoft believes Fin7 produced the software used in the hack that disrupted Colonial Pipeline Co.’s operations in the spring. The actual hack was allegedly carried out by a criminal affiliate of Fin7, Carr said in his presentation. Fin7 marketed its ransomware business as DarkSide, but more recently it called it BlackMatter, according to researchers.
On Monday, three federal agencies – the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the National Security Agency –issued an alert, explaining how businesses can protect themselves from BlackMatter and warning that in recent months the ransomware “has targeted several US critical infrastructure entities, including two organizations in the US food and agriculture industry.”
Bastion Secure isn’t the first bogus company Fin7 uses to recruit employees. In August 2015, he used another bogus cybersecurity company called Combi Security to recruit a Ukrainian named Fedir Hladyr as a sysadmin, according to federal prosecutors.
Mr Hladyr did not realize he was engaged in a criminal enterprise until several months after he was hired, according to his lawyer, Arkady Bukh. He said Fin7 compartmentalized its activities to keep its various employees in the dark about the group’s criminal activities. âAt some point some would understand that,â the lawyer said. “Sometimes not.”
Mr Hladyr maintained Fin7’s communications servers as well as a global network of servers used to initiate and manage cyber attacks, according to federal prosecutors. After pleading guilty to hacking charges, he was sentenced to 10 years in prison in April.
With Bastion Secure, the company made offers to potential recruits, the researchers said. Microsoft researchers were able to find a copy of a Bastion Secure employment contract sent to a potential employee. âIf you actually work there, you’re not supposed to talk about it at speeches or media events,â Carr said.
It didn’t take long for a potential recruit – applying for an information technology job – to spot the red flags, said Mr Barysevich, the Recorded Future researcher the company said he spoke to. with the potential recruit. The first warning sign was that no one in the company would meet in person or speak via a voice call, the recruit told Mr Barysevich. Instead, they would only communicate through encrypted Telegram or Tox messaging software, according to Recorded Future.
Later, the recruit was given software that Bastion Secure told him he would use at work, Mr Barysevich said. It was asked to connect to what was described as a âcustomerâ network and collect information, but without saying why or how it would be used. The software tools provided to him were in fact hacking tools that a Recorded Future scan tied to Fin7, Barysevich said.
Much of the text on Bastion Secure’s website appears to have been taken verbatim from a legitimate UK-based cybersecurity company Convergent Network Solutions Ltd, according to the researchers. A spokesperson for Convergent said the company is treating the Bastion Secure site as a “malicious website” and is taking steps to remove it, he said.
The website includes a quote claiming to be from Tom Deevy, described as managing director of Bastion Secure. Mr. Deevy quoted on the site could not be reached for comment. Another man named Tom Deevy is the managing director of a company called Bastion Security Products Ltd., a builder of panic rooms and other shielded enclosures.
âThis is completely wrong,â Mr Deevy said of the quote. “We have never even dealt in the world of cybersecurity.”
Mr Deevy added that an address in Gateshead, UK listed by Bastion Secure as its UK business location was previously occupied by his company. âThis is a speech we made seven years ago,â he said.
âValentina Ochirova contributed to this article.
Copyright Â© 2021 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8