FIN12

Threat Actor updated 2 months ago (2024-06-24T19:17:42.018Z)

Download STIX

Preview STIX

FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware attacks, notably on U.S. hospitals in 2020. However, it has since broadened its targeting range. A unique aspect of FIN12's operations is its simultaneous activity with other threat actors like FIN7 on the same victim system, utilizing different infrastructure and tradecraft, which highlights the challenges of technical attribution for cybercriminal threats. FIN12 has been particularly active against the healthcare industry, as reported by the HHS in 2022. In one notable incident, the group used valid credentials belonging to a healthcare professional to gain backdoor access to a French hospital's network in Brest. They employ tools such as SystemBC alongside Cobalt Strike or CS Beacon to deploy ransomware. Additionally, DAVESHELL, a tool used by nearly 30 threat groups including FIN12, has been observed loading DICELOADER in a manner unique to a small cluster of threat activity. The group is linked to Wizard Spider, a financially motivated hacking group, and has shown connections to Exotic Lily, a Russian financially-motivated cybercrime group. Furthermore, research has identified over two dozen different threat actors, including FIN12, hosting command-and-control (C2) servers on Cloudzy infrastructure. This diverse list includes Chinese, Indian, Iranian, North Korean, Pakistani, Russian, Vietnamese actors, Israeli spyware vendor Candiru, and various cybercriminal groups. These associations underscore the interconnected nature of the cybercrime landscape and the significant threat posed by FIN12.

Description last updated: 2024-06-24T19:16:58.395Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Pistachio Tempest	3	Pistachio Tempest, also known as FIN12, is a threat actor that has been identified as a significant cybersecurity risk, particularly to the healthcare industry. According to a report by the U.S. Department of Health and Human Services (HHS) in 2022, this group has specifically targeted healthcare en
Wizard Spider	2	Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a significant threat actor in the cybercrime landscape. This group has been continually analyzed by IBM Security X-Force researchers for its use of several crypters and is credited with creating the notorious, ev
EXOTIC LILY	2	Exotic Lily, an initial access broker (IAB), has been active since at least September 2021. The entity conducts highly sophisticated phishing campaigns to gain initial access to organizations and then sells this access to other threat actors, including ransomware groups. A notable example of their m

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Beacon

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Conti	Unspecified	2	Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was
Systembc	Unspecified	2	SystemBC is a type of malware, or malicious software, that has been heavily utilized in cyber-attacks and data breaches. Throughout 2023, it was frequently used in conjunction with other malware like Quicksand and BlackBasta by cybercriminals to exploit vulnerabilities in computer systems. Play rans

Source Document References

Information about the FIN12 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	2 months ago	European Union Sanctions Russian State Hackers
BankInfoSecurity	8 months ago	Sizing Up the Worst Healthcare Hacks of 2023
MITRE	9 months ago	FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
MITRE	9 months ago	The many lives of BlackCat ransomware \| Microsoft Security Blog
CERT-EU	a year ago	Southern African power generator targeted with DroxiDat malware \| #daitngscams \| #lovescams \| #datingscams \| #love \| #relationships \| #scams \| #pof \| #match.com \| #dating \| National Cyber Security Consulting
CERT-EU	a year ago	US internet hosting company appears to facilitate global cybercrime, researchers say
CERT-EU	a year ago	Iranian ISP suspected of aiding cybercriminals and nation-state hackers
CERT-EU	a year ago	US internet hosting company appears to facilitate global cybercrime, researchers say
CERT-EU	a year ago	Focus on DroxiDat/SystemBC – GIXtools
CERT-EU	a year ago	Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
InfoSecurity-magazine	a year ago	DroxiDat-Cobalt Strike Duo Targets Power Generator Network
Securityaffairs	a year ago	Power Generator in South Africa hit with DroxiDat and Cobalt Strike
CERT-EU	a year ago	Focus on DroxiDat/SystemBC
MITRE	2 years ago	Exposing initial access broker with ties to Conti