New Digital Infrastructure Tied to FIN7 Unveiled by Cybersecurity Experts
Cybersecurity researchers have uncovered a new digital infrastructure linked to the financially motivated cybercriminal group known as FIN7. This discovery emerged from a collaborative investigation conducted by Team Cymru, Silent Push, and Stark Industries Solutions.
The investigation identified two threat clusters indicative of FIN7’s activity. The first cluster is associated with IP addresses reportedly belonging to Post Ltd, a company purportedly based in Russia. The second cluster includes IP addresses registered to SmartApe, a company based in Estonia. Both clusters exhibit inbound connections to infrastructure believed to be utilized by the FIN7 group.
SmartApe Cluster
These findings build upon a previous Silent Push report, which identified several IP addresses exclusively used to host FIN7’s infrastructure. According to the latest data, the hosts linked to this cyber group were likely acquired through one of Stark Industries’ resellers.
The use of reseller services is a common practice in the hosting industry. Large VPS providers frequently offer such services, and purchasers acquiring infrastructure through resellers must adhere to the terms of service established by the primary company.
Team Cymru experts also managed to identify additional IP addresses tied to FIN7’s activities. Four of these belong to Post Ltd, while three are associated with SmartApe. The first cluster demonstrated active outbound connections to 15 hosts previously identified by Silent Push. The second Estonian cluster was observed connecting with 16 new hosts.
Notably, 12 hosts linked to the Post Ltd cluster were also found in the SmartApe cluster. The services of these hosts were suspended following the disclosure by Stark Industries. Metadata analysis confirms these connections, based on an assessment of TCP flags and data transmission volumes.
Effective counteraction against cybercrime necessitates close cooperation among experts and organizations across different countries. Data sharing and joint investigations enable faster detection of complex attack schemes and prompt responses to new threats, despite criminals’ attempts to obscure their activities behind a multitude of IP addresses and intermediary companies.
