The same hacker targeting Canadian casinos and mining companies for extortion since 2013 is planning more attacks, researchers at cyber security company FireEye said in a report on Friday.
FireEye said it believes that a single hacker or hacking group that it dubbed FIN10 is behind the breaches due to similarities in method: how they broke into corporate systems, stealing gigabytes of sensitive data and demanding ransom paid in Bitcoin, and publicizing the stolen information by alerting bloggers.
While FireEye declined to identify victims by name, the methods described in their report echoed those used in attacks on Goldcorp, the world’s third-biggest gold miner by market value, smaller operator Detour Gold, and the Casino Rama Resort.
FireEye said FIN10’s degree of operational success makes more campaigns “highly probable” and that it had evidence suggesting the group had targeted additional victims.
FireEye said FIN10 used the moniker Angels_of_Truth at least once, claiming to attack in retaliation for Canadian sanctions against Russia. More often, it borrowed the name Tesla Team from a group of Serbian hacktivists.
FireEye believes FIN10 was flying ‘false flags’ with those names, with no backing from a nation-state or affiliation with organized criminals.
Angels_of_Truth was the name used by hackers who contacted a databreaches.net blogger between April and June 2015 claiming credit in Russian and English for the Detour intrusion.
The same blogger, alerted to a breach at Goldcorp in April 2016, published details on the Daily Dot website before Goldcorp acknowledged the compromise.
The Vancouver-based miner has since modified its IT processes, increased network security protocols, and worked to educate its staff about cyber risks, a spokeswoman said.
After that breach, a mining industry group formed a network to share information on cyber threats. At least six members, including Teck Resources Ltd, will take the project live next month.
FIN10 is still in contact with some victims and more targets may “become aware of the threat in the coming weeks or months,” said Charles Carmakal, vice president at FireEye’s Mandiant unit.
Detour Gold did not respond to requests for comment. Nor did Casino Rama, which said in November that sensitive customer, employee, and vendor data had been stolen. Some was reportedly later posted online, and they now face a class action lawsuit over the breach.