EVERETT — The Eastern European hackers were as sophisticated as they were prolific.
Their reach was worldwide.
In the U.S. alone, they breached computer networks of businesses in 47 states, stealing more than 15 million customer credit and debit card records from roughly 3,600 separate businesses, mainly in the restaurant, casino and hospitality industries.
The list of infiltrated businesses included a restaurant off Everett Mall Way and another off 196th Street in Lynnwood in March of 2017, according to a 32-page federal indictment released Wednesday.
The Department of Justice announced Wednesday that three high-ranking members of a cybercrime group have been arrested and are in custody facing charges filed in U.S. District Court in Seattle. Court papers identified the suspects as Ukrainian nationals who are part of a hacking group known as FIN7, also called the Carbanak Group and the Navigator Group.
The trio were arrested in Germany, Poland and Spain, said U.S. Attorney Annette Hayes from the Western District of Washington. They’re accused of wire fraud, conspiracy to commit wire and bank fraud, aggravated identity theft and conspiracy to commit computer hacking, among other charges.
Hayes said she hopes the arrests send a message to “these hackers (who) think they can hide behind keyboards in far away places.”
At the same time, Hayes said, “we are under no illusion that we have taken this group down all together.”
“The investigation is not over,” said Jay Tabb, special agent in charge for the FBI’s Seattle Field Office. The FBI has been working with law enforcement worldwide, he said.
“The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise,” Tabb said.
FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers that were used or sold on the Darknet for profit. Hacks also occurred in the United Kingdom, Australia, France and other countries. Some of the companies that disclosed being hacked included Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli. One of the restaurants that fell victim to the cyber ploy was a Chipotle along Everett Mall Way, according to an address listed in the federal indictment.
FIN7 crafted email messages that would appear legitimate, sometimes inquiring about making a catering order. Once an attached file was opened and activated, malware would be used to access and steal payment card data.
The tactic is known as spear phishing.
Samples of the emails look benign. A fictitious James Anhil, for instance, in May 2017 was requesting “a takeout order for tomorrow for 11 a.m.” The email instructed the restaurant worker to open a file for the order.
“It’s completely opaque to them,” Tabb said.
FIN7 also used a front company, believed to be headquartered in Russia and Israel, to provide a guise of legitimacy and recruit hackers, according to the Department of Justice. “Ironically,” the justice department wrote, “the sham company’s website listed multiple U.S. victims among its purported clients.”
Eric Stevick: 425-339-3446; firstname.lastname@example.org.