How a single criminal hacking group held Canadian casinos and mining companies ransom

A "financially motivated" and digitally-savvy criminal hacking group has spent at least three years infiltrating computers at several unnamed Canadian mining companies and casinos, stealing sensitive data and holding it for ransom.

The group, dubbed FIN10 by the cybersecurity company FireEye, began operating as early as 2013, continued until at least 2016, and has not been identified before, investigators said.

Charles Prevost, one of the investigators and a senior manager at FireEye's security consulting practice Mandiant, said they "have no idea why" FIN10 had seemingly chosen to target only Canadian mines and casinos. He could not attribute FIN10 to a particular country or location — a notoriously difficult problem in cybersecurity investigations — but noted that its members appeared to be native English speakers, despite attempts to appear otherwise.

According to FireEye's report, released today, the attacks targeted sensitive files such as corporate records, private communications and customer information. After stealing the data from the victims' computers, the investigators say the hackers demanded ransoms of between 100 and 500 bitcoin — about $35,000 to $170,000 Cdn. 

The group then threatened to release some of the stolen data to the public if no payment was received within 10 days, and to release more data if there was still no payment three days later.

FIN10 also wreaked havoc on targets who did not meet their demands "by essentially shutting off production systems so that the mine or casino couldn't operate for a period of time," according to Charles Carmakal, another investigator and Mandiant vice president, resulting in "real" but unspecified revenue loss.

Common criminal playbook

The attacks follow a common playbook among criminals operating in the digital realm. In at least two cases, the hackers used carefully crafted emails, tailoring messages, links and attachments to entice their targets to click — a technique known as spearphishing, which was also used by Russian-backed hackers to break into the U.S. Democratic National Committee email in the summer of 2015.

In one case, the attackers hid their code in a malicious webpage claiming to be an updated holiday schedule for staff. In another, they disguised a malicious Microsoft Word document as an employee questionnaire.

However, unlike the Russian-backed groups that frequently dominate headlines, Prevost said FIN10's tools and techniques were "very far from the state-sponsored type of activity that we investigate" — meaning the group used easily available "penetration testing tools" with names like Metasploit, PowerShell Empire and SplinterRAT.

Those tools allowed FIN10 to gain a foothold into its targets' networks, remove data and run basic commands that deleted important operating system files — effectively knocking out casino money handling computers, critical mining databases and systems that were required to let employees log into their workstations.

The attackers "scheduled them just like a timebomb," Prevost said — in one client's case, taking 60 critical systems offline overnight.

Who were the victims?

Carmakal said FireEye's report involved "less than 10" companies, but would not specify how many. FireEye also declined to name any of the companies that were targeted, citing confidentiality agreements with the victims. But previous breaches offer some possible clues.

In the mining industry, both Goldcorp and Detour Gold Corporation have suffered data breaches in recent years, and seen gigabytes of personal information published online — including employee's personal contact and financial information.

• Here's why reports of data breaches will skyrocket this year
• Russian spies may have backed email phishing campaign in effort to spread disinformation

Among Canadian casinos, the River Cree Resort and Casino just outside of Edmonton, Alberta said in March 2016 that criminals had stolen customer and employee information from its systems. Then in June, Cowboy's Casino in Calgary was also breached, and similar information was stolen. And in November, the Casino Rama Resort in Rama, Ont. also admitted that it had been breached, saying that customer, employee and vendor information had been stolen, too.

Earlier this week, some of the information from the Cowboy's Casino breach — specifically, customer's personal information and information on gambling habits and payouts — was posted online.

It's not clear if the casinos or mines mentioned in previous reports are also part of FireEye's report, and the company wouldn't say. It was reported by the Financial Times that FireEye was investigating the the River Cree Resort incident, but the company also would not confirm whether the incident was part of the company's report.