Researchers studying cybersecurity have found new infrastructure connected to the FIN7 threat actor, which has financial motivations.
As part of a cooperative investigation with Silent Push and Stark Industries Solutions, Team Cymru said in a report released this week that the two clusters of possible FIN7 activity “indicate communications inbound to FIN7 infrastructure from IP addresses assigned to Post Ltd (Russia) and SmartApe (Estonia), respectively,”
The results expand upon a recent revelation by Silent Push that identified many IP addresses belonging to Stark Industries that are exclusively utilized for the hosting of FIN7 infrastructure.
According to the most recent study, the hosts connected to the e-crime gang were probably purchased via one of Stark’s resellers.
“Reseller programs are common in the hosting industry; many of the largest VPS (virtual private server) providers offer such services,” the cybersecurity company said. “Customers procuring infrastructure via resellers generally must follow the terms of service outlined by the ‘parent’ entity.”
Additionally, Team Cymru reported that it has discovered new infrastructure connected to FIN7 activity. These included three IP addresses assigned to SmartApe, an Estonian cloud hosting company, and four IP addresses belonging to Post Ltd, a broadband provider operating in Southern Russia.
Over the past 30 days, the first cluster has been seen communicating outward with at least 15 Stark-assigned hosts that Silent Push has previously identified (such as 86.104.72[.]16). Similarly, it has been determined that the second cluster from Estonia is in communication with a minimum of sixteen hosts designated to Stark.
“In addition, 12 of the hosts identified in the Post Ltd cluster were also observed in the SmartApe cluster,” Team Cymru stated. Stark subsequently halted the services after making a responsible disclosure.
“It was established that these conversations were connected, based on an analysis of their metadata. The evaluation of sampling data transfer quantities and observed TCP flags forms the basis of this assessment.”