Threat Research Blog

FIN10: Anatomy of a Cyber Extortion Operation

FireEye has identified a set of financially motivated intrusion operations being carried out by a threat actor we have dubbed FIN10. FIN10 is known for compromising networks, stealing sensitive data, and directly engaging victim executives and board members in an attempt to extort them into paying between 100 and 500 bitcoins (valued at between $125,000 and $620,000 as of mid-April 2017).

For some victims that did not give into the demand, FIN10 escalated their operation and destroyed critical production systems and leaked stolen data to journalists in an attempt to increase visibility of the compromise and coerce victims into paying up.

The first known FIN10 operation was in 2013 and their operations have continued until at least 2016. To date, we are primarily aware of Canadian victims – specifically casinos and mining organizations. Given the release of sensitive victim data, extortion, and destruction of systems, FireEye considers FIN10 to be one of the most disruptive threat actors observed in the region so far.

Download our report, FIN10: Anatomy of a Cyber Extortion Operation, to learn more about FIN10, including:

  • The tactics, techniques and procedures used by FIN10 to conduct their operations.
  • The multiple monikers used by FIN10 such as “Tesla Team”, “Angels of Truth”, and “Anonymous Threat Agent” to throw false flags.
  • Lessons learned when responding to FIN10 breaches, including considerations for engaging the threat actor and complying with extortion demands.

Learn more about FIN10 and how to combat the threat.