A prolific Eastern European cyber criminal group has tried to hack US companies in the transportation, defence and insurance sectors by mailing those organisations malicious USB drives, the FBI warned US businesses in an advisory obtained by CNN.
The unnamed companies received a series of fake letters via the US Postal Service and UPS from August to November 2021 impersonating the Department of Health and Human Services in some cases, and Amazon in others, according to the FBI.
Instead of an actual Amazon gift card or authorised guidance about the coronavirus pandemic, the letters came with a USB stick laced with malicious software. If inserted into a computer, the USB stick could have given the hacking group access to an organisation's networks to deploy ransomware, the FBI said.
It's unclear if any of the firms were compromised in the incidents, but it's a reminder of the long reach and clever tactics of a cyber criminal group that US law enforcement have pursued for years.
The FBI pinned the incidents on FIN7, an Eastern European cyber crime operation that US prosecutors have blamed for billions of dollars in losses to consumers and businesses in the US and abroad.
The Justice Department has accused FIN7 of stealing millions of credit card numbers from restaurant and hospitality chains in 47 states, and FBI agents have pursued FIN7 operatives for years.
The group can be difficult to pin down, after evolving significantly in recent years and has lost some of its members to law enforcement busts.
US cyber security firm Mandiant, which also analysed some of the malicious code sent via the USB sticks, said it had "low confidence" that the activity was "attributable to FIN7-affiliated actor".
Bleeping Computer, a cyber security news outlet, first reported on the FBI advisory.
The FBI, which regularly sends cyber threat alerts to US businesses, did not respond to CNN's request for comment on the advisory.
As one of the world's most successful and organised cyber crime groups, FIN7 epitomises the challenge that law enforcement officials have in curtailing the lucrative digital fraud industry.
The group has operated a front company, which purported to offer cyber security services, to recruit talent from Eastern Europe, according to cyber security researchers and the Justice Department. FIN7's operatives are meticulous and are known to call victims to ensure they have clicked on phishing links sent by the hackers.
The group lives on despite the arrest and prosecution of some of its members.
The US Justice Department in August 2018 announced the arrest of three Ukrainian men and accused them of being "high-profile" members of FIN7. A US judge in April 2021 sentenced one of those men to 10 years in prison.
Mailed USB sticks is not a new tactic for FIN7. The group, or someone operating on its behalf, mailed an organisation in the US hospitality sector a USB device and a purported Best Buy gift card in February 2020, prompting the FBI to investigate.
The hackers' use of a non-digital medium like snail mail could offer the FBI clues it doesn't normally get in a cyber investigation.
The FBI is asking all organisations that received a package from the hacking group to "handle it with care to preserve DNA and fingerprints that may be obtainable from the package," the bureau's advisory to US businesses stated.