Cybersecurity researchers have uncovered new infrastructure connected to a financially driven threat group known as FIN7.
According to a report released this week by Team Cymru, in collaboration with Silent Push and Stark Industries Solutions, two clusters of potential FIN7 activity suggest incoming communications to FIN7 infrastructure from IP addresses assigned to Post Ltd in Russia and SmartApe in Estonia.
These findings expand on a recent Silent Push report, which identified several IP addresses under Stark Industries that are exclusively used to support FIN7 infrastructure.
The latest analysis reveals that the hosts linked to this cybercrime group were likely acquired from a reseller associated with Stark.
“Reseller programs are quite common in the hosting industry, with many major VPS (virtual private server) providers offering such services,” the cybersecurity company explained. “Customers purchasing infrastructure through resellers are typically required to follow the terms of service set by the ‘parent’ company.”
Furthermore, Team Cymru discovered additional infrastructure tied to FIN7, including four IP addresses assigned to Post Ltd, a broadband provider in Southern Russia, and three addresses assigned to SmartApe, a cloud hosting service based in Estonia.
The first cluster was seen engaging in outbound communications with at least 15 hosts assigned by Stark, previously identified by Silent Push, over the last 30 days. Similarly, the second cluster in Estonia was found to be communicating with no fewer than 16 Stark-assigned hosts.
“Moreover, 12 of the hosts from the Post Ltd cluster were also observed in the SmartApe cluster,” Team Cymru reported. Following responsible disclosure, Stark has since suspended these services.
An analysis of the communication metadata confirmed these connections were legitimate, based on evaluations of TCP flags and sampled data transfer volumes.