Home News FIN7 is Running a New Fake Company Called ‘Bastion Secure’ for Ransomware...

FIN7 is Running a New Fake Company Called ‘Bastion Secure’ for Ransomware Attacks

FIN7, a Russian hacking group, is masquerading as a cybersecurity service company named “Bastion Secure,” to carry out ransomware attacks.

Skimmer, formjacking

Researchers at Recorded Future’s Gemini Advisory unit released an advisory revealing the hacking group FIN7’s malicious operations under the guise of a cybersecurity services firm Bastion Secure. Through this phony company, the group is recruiting IT specialists, to conduct pen testing and carry out ransomware attacks.

Researchers from the Gemini Advisory group posed as IT professionals and applied for the role of IT executives. They were asked to analyze tools and network files. The company appears legitimate as it has closely replicated other service companies in its recruitment process. They conduct a series of practice tests, which are typical for an IT position.

The motive is to hire pen testers, as system administrators, who would have the skill to map compromised corporate systems, perform network checks, and locate backup server files and components needed to initiate any malware attack.

FIN7 can use the dark web forum to get entry into the compromised networks but at a high price. Whereas recruiting its staff would make them execute the attack at a much lower cost without having to share the bounty.

What is Pen testing? 

A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.

FIN7 and Ransomware 

The financially motivated Russian threat groups Carbanak and FIN7 have at times been used to refer to the same group. Per a Trend Micro release, organizations such as MITRE identify them as two separate entities that manipulate the use of the Carbanak backdoor in their attacks.

“However, the groups use not just the Carbanak backdoor but also other types of malware such as Pillowmint, a point-of-sale malware, and Tirion, which is said to be geared to replace Carbanak,” Trend Micro said.

The two groups focus on their areas of expertise and targets; Carbanak focuses on banking institutions, FIN7 targets food, hospitality, and retail establishments.

Since 2015, FIN7 has successfully pilfered data for more than 16 million payment cards, which have been sold on dark web forums and online marketplaces for stolen data.

Earlier, the group had set up “Combi Security” to recruit hackers to engage in a malware campaign with criminal intent.


Ransomware incidents are making headlines every week. Sinclair Broadcast Group, Cox Media Group, JVCKenwood are some recent incidents reported in October alone.

There are visible efforts both at the community and policymakers’ level but not a solution yet. Experts have been reiterating the attacks will continue to grow; we need to have a better threat detection capability and incidence response plan in place. With the onset of global action plans to combat ransomware, it will be some time before we actually can taste the fruits.