A prominent cybercrime group allegedly targeted a large automotive manufacturer based in the United States late last year.

Researchers from BlackBerry said they tracked a spearphishing campaign by FIN7 — a group with a long history of ties to multiple ransomware strains and attacks on major institutions. 

According to a new report, members of the purportedly Russia-based group “identified employees at the company who worked in the IT department and had higher levels of administrative rights.”

BlackBerry said they “found evidence that this attack was part of a wider campaign by FIN7.” they said. 

Ismael Valenzuela, vice president of threat research at BlackBerry, told Recorded Future News that after being inactive for several years, FIN7 reemerged with opportunistic ransomware attacks in 2023. 

The campaign, he said, “shows how, in general, more manufacturing companies are being targeted in the US.”.

Valenzuela said the group is showing significant technical innovation in its most recent attacks, including specialized proxy servers, custom tools to load their malware onto victim systems and malware written in a certain language that allows it to run on a wider range of systems. 

“For attackers, maximizing the potential target base can be advantageous (maximizing profitability),” he said, adding that it’s common in many manufacturing companies to see older systems and software that still runs on the kind of architecture the malware is built for. 

FIN7 has been active since 2013, targeting the U.S. retail, restaurant, and hospitality sectors. For years, members of the gang used the Darkside, BlackMatter, REvil and ALPHV ransomware strains to launch more opportunistic attacks. Microsoft said last year the group had ties to the Clop ransomware gang as well. 

But they have shifted their efforts to “more precise targeting of large entities,” according to BlackBerry, allegedly switching to “big game hunting” in an effort to get larger ransoms from bigger entities more likely to pay. 

While BlackBerry was able to stop the group from deploying ransomware on the unnamed automotive company’s systems, the incident is illustrative of FIN7’s shift to targeting company employees with higher access privileges. 

“In this case, employees with a high level of access privileges were targeted with spear-phishing emails,” they said. 

“The individuals targeted with spear-phishing attacks worked in the IT department, making them the most likely workers to have administrative rights and domain credentials.”

BlackBerry was able to tie the attack to FIN7 through the identification of tools typically used by the group. 

Previously known as Carbanak, FIN7 started out using point-of-sale malware to run financial scams but switched to ransomware around 2020, according to researchers. 

Multiple members of the group have been arrested or convicted on cybercrime charges in recent years as law enforcement agencies homed in on their operations. 

It is accused of attacking more than 100 U.S. companies between 2015 and 2018 and orchestrated intrusions at tens of U.S. retailers, such as Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli, where it deployed malware that collected millions of customer payment card details that they later sold on hacking forums.

The FBI said in 2022 that the group sent malicious USB devices to U.S. companies in the hopes of infecting their systems with malware and carrying out future attacks. A year earlier, the group created a fake security firm and used it to hire security researchers before tricking them into participating in ransomware attacks.