GOLD NIAGARA

GOLD NIAGARA, also known as FIN7 or Carbon Spider, is a group of financially motivated cybercriminals that has targeted retail, restaurant, and hospitality organizations that process payment card transactions since at least 2015. Several members of the group were indicted by the U.S. Department of Justice in August 2018. In April 2021, the U.S. Department of Justice announced that Ukrainian national Fedir Hladyr, a systems administrator for the group, had been sentenced to 10 years in prison following a September 2019 guilty plea to conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking. In June 2021, Ukrainian national Andrii Kolpakov was sentenced by U.S. authorities to seven years in prison following his arrest in Spain in 2018 and subsequent extradition. In their June 2021 press release, the DOJ noted that some estimates put financial losses attributable to GOLD NIAGARA at that time at more than one billion U.S. dollars.

GOLD NIAGARA has used a wide range of lightweight downloaders and backdoors for initial access, typically delivered via spearphishing emails (and sometimes accompanied by a phone call to the recipients) but also by other means including, in at least one campaign, trojanized USB devices that were mailed to targets. Carbanak, Meterpreter and Cobalt Strike have been downloaded as second-stage payloads. GOLD NIAGARA has also used custom malware designed to harvest information from point-of-sale systems.

In February 2021, third-party researchers asserted that elements of GOLD NIAGARA were involved in the DarkSide ransomware-as-a-service (RaaS) scheme, operated by a group CTU researchers track as GOLD WATERFALL. In May 2021, a GOLD WATERFALL affiliate was responsible for a post-intrusion ransomware attack on U.S. oil distributor Colonial Pipeline that generated a public and law enforcement reaction that ultimately led to the DarkSide RaaS operators shuttering their operation. CTU researchers have no direct observations that would confirm any link between GOLD NIAGARA and GOLD WATERFALL. However, in March 2023, CTU researchers investigated an intrusion conducted by GOLD NIAGARA that resulted in the deployment of Clop ransomware. Third-party reporting has also described the group deploying Clop in opportunistic attacks. It is plausible that GOLD NIAGARA has transitioned to conducting ransomware operations, perhaps in response to reducing revenue from point-of-sale theft.