Damage to Banks, Merchants, Card Companies, and Consumers Estimated at more than $1 Billion
A Ukrainian man was sentenced today in the Western District of Washington to five years in prison for his criminal work in the hacking group FIN7.
According to court documents, Denys Iarmak, 32, served as a high-level hacker, whom the group referred to as a “pen tester,” for FIN7. He was arrested in Bangkok, Thailand, in November 2019 at the request of U.S. law enforcement. Iarmak is the third member of the FIN7 group to be sentenced in the United States. On April 16, 2021, FIN7 member Fedir Hladyr was sentenced to 10 years in prison. On June 24, 2021, FIN7 member Andrii Kolpakov was sentenced to seven years in prison.
In the United States alone, FIN7 successfully breached the computer networks of businesses in all 50 states and the District of Columbia, stealing more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. According to court documents, victims incurred enormous costs that, according to some estimates, exceeded $1 billion dollars. Additional intrusions occurred abroad, including in the United Kingdom, Australia, and France. Companies that have publicly disclosed hacks attributable to FIN7 include such chains as Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.
“Iarmak and his conspirators compromised millions of financial accounts, causing over a billion dollars in losses to Americans and costs to America’s economy,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “Protecting businesses – both large and small – online is a top priority for the Department of Justice. We are committed to working with our international partners to hold such cyber criminals accountable, no matter where they live or how anonymous they think they are.”
“Iarmak was directly involved in designing phishing emails embedded with malware, intruding on victim networks, and extracting data such as payment card information,” said U.S. Attorney Nicholas W. Brown of the Western District of Washington. “To make matters worse, he continued his work with the FIN7 criminal enterprise even after the arrests and prosecution of co-conspirators. He and others in this cybercrime group used hacking techniques to essentially rob thousands of locations of multiple restaurant chains at once, from the comfort and safety of their keyboards in distant countries.”
“This cyber-criminal probed and mapped victims networks searching for data to exploit,” said Special Agent in Charge Donald M. Voiret of the FBI’s Seattle Field Office. “Masquerading as a legitimate business, the hacking group he belonged to recruited other members to assist with their criminal activities. Thanks to the hard work of law enforcement, this defendant, who is responsible for an enormous loss amount, will be spending the next few years in prison.”
According to court documents, since at least 2015, members of FIN7 (also referred to as Carbanak Group and the Navigator Group, among other names) engaged in a highly sophisticated malware campaign to attack hundreds of U.S. companies, predominantly in the restaurant, gambling, and hospitality industries. FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers that were then used or sold for profit. FIN7, through its dozens of members, launched waves of malicious cyberattacks on numerous businesses operating in the United States and abroad. To execute its scheme, FIN7 carefully crafted email messages that would appear legitimate to a business’ employees and accompanied emails with telephone calls intended to further legitimize the emails. Once a file attached to a fraudulent email was opened and activated, FIN7 would use an adapted version of the Carbanak malware, in addition to an arsenal of other tools, to access and steal payment card data for the business’s customers. Since 2015, many of the stolen payment card numbers have been offered for sale through online underground marketplaces.
Iarmak was involved with FIN7 from approximately November 2016 through November 2018. Iarmak frequently used project management software such as JIRA, hosted on private virtual servers in various countries, to coordinate FIN7 malicious activity and to manage the assorted network intrusions. JIRA is a project management and issue-tracking program used by software development teams. JIRA allows team members to create “projects” containing posted “issues” under which other team members can make comments and share data. Under each issue, FIN7 members tracked their progress breaching a victim’s security, uploaded data stolen from the victim, and provided guidance to each other. As one example, Iarmak created a JIRA issue, to which he and other members of the cybergroup had access, for a specific victim company, and, on or about March 3, 2017, Iarmak updated that JIRA and uploaded data he had stolen from that company. During the course of the scheme, Iarmak received compensation for his participation in FIN7, which far exceeded comparable legitimate employment in Ukraine. Moreover, FIN7 members, including Iarmak, were aware of reported arrests of other FIN7 members, but nevertheless continued to attack U.S. businesses.
Iarmak initially fought extradition but in February 2020 he consented to extradition in a Thai court. In May 2020 he was transferred to U.S. custody. In November 2021, Iarmak pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.
This case is the result of an investigation conducted by the FBI’s Seattle Cyber Task Force. The Justice Department’s Office of International Affairs, the National Cyber-Forensics and Training Alliance, numerous computer security firms and financial institutions, FBI offices across the nation and globe, as well as a number of international agencies provided significant assistance. Thailand law enforcement authorities provided significant assistance by arresting Iarmak.
This case was prosecuted by Assistant U.S. Attorney Steven Masada of the Western District of Washington and Trial Attorney Anthony Teelucksingh of the Criminal Division’s Computer Crime and Intellectual Property Section.
- Serbia National Day
February 15, 2022
- VA Health Care: VA Needs to Continue to Strengthen Its Oversight of Quality of State Veterans Homes
July 30, 2020The Department of Veterans Affairs (VA) pays over $1 billion a year to state veterans homes (SVH)—homes owned and operated by the states—to provide nursing home care to approximately 20,000 veterans. In fiscal year 2019, VA paid SVHs $1.17 billion for an average daily census of 20,072 veterans (51 percent of the total veterans receiving nursing home care through VA). Further, VA projects its payments to SVHs will continue to increase; VA projects it will pay $1.7 billion to SVHs to provide care to veterans in fiscal year 2022. VA oversees the quality of care veterans receive at SVHs mainly through annual inspections that VA hires a contractor to perform. In its July 2019 report, GAO found that VA’s SVH contractor performed the required annual inspections for all SVHs in 2018, but VA needed to take action to enhance its oversight of SVHs and to ensure that information on quality of care provided in this setting is publicly available to veterans. Specifically, GAO found the following: VA does not require its SVH contractor to identify all failures to meet quality standards during its inspections as deficiencies . For example, GAO found that VA allows its SVH contractor to cite some failures to meet quality standards as “recommendations,” rather than as deficiencies. VA officials said they do not track or monitor the nature of the recommendations or whether they have been addressed. As a result, VA does not have complete information on all failures to meet quality standards at SVHs and cannot track this information to identify trends in quality across these homes. VA is not conducting all monitoring of its SVH contractor. GAO found that, at the time of its review, VA had not monitored the SVH contractor’s performance of inspections through regular observational assessments to ensure that contractor staff effectively determine whether SVHs are meeting required standards. Specifically, VA officials said they intended to observe the SVH contractor’s inspections on a quarterly basis; however, at the time of GAO’s review, VA officials could not recall when VA last observed the SVH contractor’s inspections. In July 2020, VA provided information indicating that they will regularly monitor the SVH contractor’s performance in conducting inspections through observational assessments. VA does not share information on the quality of SVHs on its website. GAO found that, while VA provides information on the quality of other nursing home care settings on its website, it does not do so for SVHs. According to VA officials, there is no requirement to provide information on SVH quality on its website, as SVHs are owned and operated by the states. VA is the only federal agency that conducts regular oversight inspection on the quality of care of all SVHs and, as a result, is the only agency that could share such quality information on its website. Veterans—like over a million other Americans—rely on nursing home care to help meet their health needs. For eligible veterans whose health needs require skilled nursing and personal care, VA provides or pays for nursing home care in three nursing home settings: the VA-owned and -operated community living centers, public- or privately owned community nursing homes, and state-owned and -operated SVHs. In fiscal year 2019, VA provided or paid for nursing home care for over 39,000 veterans. The majority of these veterans received care at SVHs. This statement summarizes the GAO’s July 2019 report, GAO-19-428 , with a focus on issues related to SVHs. Specifically, it describes the: (1) use of and expenditures for SVHs, (2) inspections used by VA to assess the quality of SVH care and VA’s oversight of the inspection process, and (3) information VA provides publicly on the quality of SVH care. As part of that work GAO analyzed VA data on expenditures for SVHs and interviewed VA officials. For this statement GAO reviewed expenditure and utilization data for fiscal year 2019. In its July 2019 report, GAO made three recommendations related to SVHs, including that VA require that all failures to meet quality standards are cited as deficiencies on SVH inspections. VA concurred with two recommendations and concurred in principle with the third. VA has addressed one recommendation and continued attention is needed to address the two remaining recommendations. For more information, contact Sharon M. Silas at (202) 512-7114 or email@example.com.
- Hospice Administrator Sentenced for Role in Hospice Fraud Scheme
February 19, 2021The administrator of a Southern California hospice was sentenced Thursday to 30 months in prison for his role in a multimillion dollar hospice fraud scheme.
- Austria National Day
October 26, 2021
- Secretary Pompeo’s Meeting with French Foreign Minister Le Drian
November 16, 2020
- Science & Tech Spotlight: Air Quality Sensors
December 7, 2020Why This Matters Air quality sensors are essential to measuring and studying pollutants that can harm public health and the environment. Technological improvements have led to smaller, more affordable sensors as well as satellite-based sensors with new capabilities. However, ensuring the quality and appropriate interpretation of sensor data can be challenging. The Technology What is it? Air quality sensors monitor gases, such as ozone, and particulate matter, which can harm human health and the environment. Federal, state, and local agencies jointly manage networks of stationary air quality monitors that make use of sensors. These monitors are expensive and require supporting infrastructure. Officials use the resulting data to decide how to address pollution or for air quality alerts, including alerts during wildfires or on days with unhealthy ozone levels. However, these networks can miss pollution at smaller scales and in rural areas. They generally do not measure air toxics—more localized pollutants that may cause cancer and chronic health effects—such as ethylene oxide and toxic metals. Two advances in sensor technologies may help close these gaps. First, newer low-cost sensors can now be deployed virtually anywhere, including on fences, cars, drones, and clothing (see fig. 1). Researchers, individuals, community groups, and private companies have started to deploy these more affordable sensors to improve their understanding of a variety of environmental and public health concerns. Second, federal agencies have for decades operated satellites with sensors that monitor air quality to understand weather patterns and inform research. Recent satellite launches deployed sensors with enhanced air monitoring capabilities, which researchers have begun to use in studies of pollution over large areas. Figure 1. There are many types of air quality sensors, including government-operated ground-level and satellite-based sensors, as well as low-cost commercially available sensors that can now be used on a variety of platforms, such as bicycles, cars, trucks, and drones. How does it work? Low-cost sensors use a variety of methods to measure air quality, including lasers to estimate the number and size of particles passing through a chamber and meters to estimate the amount of a gas passing through the sensor. The sensors generally use algorithms to convert raw data into useful measurements (see fig. 2). The algorithms may also adjust for temperature, humidity and other conditions that affect sensor measurements. Higher-quality devices can have other features that improve results, such as controlling the temperature of the air in the sensors to ensure measurements are consistent over time. Sensors can measure different aspects of air quality depending on how they are deployed. For example, stationary sensors measure pollution in one location, while mobile sensors, such as wearable sensors carried by an individual, reflect exposure at multiple locations. Satellite-based sensors generally measure energy reflected or emitted from the earth and the atmosphere to identify pollutants between the satellite and the ground. Some sensors observe one location continuously, while others observe different parts of the earth over time. Multiple sensors can be deployed in a network to track the formation, movement, and variability of pollutants and to improve the reliability of measurements. Combining data from multiple sensors can increase their usefulness, but it also increases the expertise needed to interpret the measurements, especially if data come from different types of sensors. Figure 2. A low-cost sensor pulls air in to measure pollutants and stores information for further study. How mature is it? Sensors originally developed for specific applications, such as monitoring air inside a building, are now smaller and more affordable. As a result, they can now be used in many ways to close gaps in monitoring and research. For example, local governments can use them to monitor multiple sources of air pollution affecting a community, and scientists can use wearable sensors to study the exposure of research volunteers. However, low-cost sensors have limitations. They operate with fewer quality assurance measures than government-operated sensors and vary in the quality of data they produce. It is not yet clear how newer sensors should be deployed to provide the most benefit or how the data should be interpreted. Some low-cost sensors carry out calculations using artificial intelligence algorithms that the designers cannot always explain, making it difficult to interpret varying sensor performance. Further, they typically measure common pollutants, such as ozone and particulate matter. There are hundreds of air toxics for which additional monitoring using sensors could be beneficial. However, there may be technical or other challenges that make it impractical to do so. Older satellite-based sensors typically provided infrequent and less detailed data. But newer sensors offer better data for monitoring air quality, which could help with monitoring rural areas and pollution transport, among other benefits. However, satellite-based sensor data can be difficult to interpret, especially for pollution at ground level. In addition, deployed satellite-based sensor technologies currently only measure a few pollutants, including particulate matter, ozone, sulfur dioxide, nitrogen dioxide, formaldehyde, and carbon monoxide. Opportunities Improved research on health effects. The ability to track personal exposure and highly localized pollution could improve assessments of public health risks. Expanded monitoring. More dense and widespread monitoring could help identify pollution sources and hot spots, in both urban and rural areas. Enhanced air quality management. Combined measurements from stationary, mobile, and satellite-based sensors can help officials understand and mitigate major pollution issues, such as ground-level ozone and wildfire smoke. Community engagement. Lower cost sensors open up new possibilities for community engagement and citizen science, which is when the public conducts or participates in the scientific process, such as by making observations, collecting and sharing data, and conducting experiments. Challenges Performance. Low-cost sensors have highly variable performance that is not well understood, and their algorithms may not be transparent. Low-cost sensors operated by different users or across different locations may have inconsistent measurements. Interpretation. Expertise may be needed to interpret sensor data. For example, sensors produce data in real time that may be difficult to interpret without health standards for short-term exposures. Data management. Expanded monitoring will create large amounts of data with inconsistent formatting, which will have to be stored and managed. Alignment with needs. Few of the current low-cost and satellite-based sensors measure air toxics. In addition, low-income communities, which studies show are disproportionally harmed by air pollution, may still face challenges deploying low-cost sensors. Policy Context and Questions How can policymakers leverage new opportunities for widespread monitoring, such as citizen science, while also promoting appropriate use and interpretation of data? How can data from a variety of sensors be integrated to better understand air quality issues, such as environmental justice concerns, wildfires, and persistent ozone problems? How can research and development efforts be aligned to produce sensors to monitor key pollutants that are not widely monitored, such as certain air toxics? For more information, contact Karen Howard at (202) 512-6888 or HowardK@gao.gov.
- International Competition Network Addresses Enforcement And Policy Challenges of the Digital Economy at United States-Hosted 19th Annual Conference
September 17, 2020The International Competition Network (ICN) held its 19th annual conference on September 14-17, 2020. Co-hosted by the Antitrust Division and the Federal Trade Commission (FTC), the conference was the ICN’s first virtual conference.
- Secretary Blinken’s Call with NATO Secretary General Stoltenberg
January 28, 2021
- Announcement of a Unity Government in Haiti
July 22, 2021
- Acting Attorney General Jeffrey A. Rosen Regarding the Overrunning of the U.S. Capitol Building
January 6, 2021Acting Attorney General Jeffrey A. Rosen issued the following statement: “The violence at our Nation’s Capitol Building is an intolerable attack on a fundamental institution of our democracy. From the outset, the Department of Justice has been working in close coordination with the Capitol Police and federal partners from the Interior Department, the Department of Homeland Security, and the National Guard, as well as the Metropolitan Police and other local authorities. Earlier this afternoon, the Department of Justice sent hundreds of federal law enforcement officers and agents from the FBI, ATF, and the U.S. Marshals Service to assist the Capitol Police in addressing this unacceptable situation, and we intend to enforce the laws of our land.”
- VA Medical Center Security: Progress Made, but Improvements to Oversight of Risk Management and Incident Analysis Still Needed
July 13, 2021What GAO Found The Department of Veterans Affairs (VA) has recently identified improvements for its physical security risk management policy and oversight process for its medical centers but has yet to implement them. In January 2018, GAO reported that VA’s risk management policy did not fully reflect federal standards for facility security, such as a requirement to consider all of the undesirable events described in the standards (e.g. active shooter incidents). GAO also reported that while VA conducted some limited oversight of medical centers’ risk management activities, it lacked a system-wide oversight strategy. GAO recommended that VA revise its policy to reflect federal standards and develop a system-wide oversight strategy to help to ensure that its approach to risk management will yield the appropriate security posture relative to the different risks at each of its medical centers. In response, as of June 2021, VA has begun to take actions to revise its policy to reflect the standards and fully deploy a risk assessment tool to help oversee risk management processes across medical centers. VA officials said they plan to implement the revised policy and assessment tool in fiscal year 2022. VA has improved its data collection to support the management and oversight of police officers’ use of force but could better track and analyze investigations. VA policy contains a use of force continuum scale to define and clarify the categories of force that officers can use to gain control of a situation. In September 2020, GAO reported that VA’s records of use of force incidents were not complete or accurate. For example, GAO found that 176 out of 1,214 use of force incident reports did not include the specific type of force used. Further, VA did not track incidents by individual medical centers. GAO also reported that VA did not systematically collect or analyze use of force investigation findings from local medical centers or have a database designed for such purposes, limiting VA’s ability to provide effective oversight. GAO recommended that VA improve the completeness and accuracy of its data on use of force, analyze that data by facility and geographic region, and implement plans to obtain a database to collect and analyze use of force investigations. As of June 2021, VA took steps to improve the accuracy and completeness of its use of force incident data, and officials stated VA is working to obtain a suitable database to track use of force investigation trends. GAO will continue to review VA’s steps to address recommendations from both reports. Why GAO Did This Study The Veterans Health Administration provides critical health services to approximately 9-million enrolled veterans at its nearly 170 medical centers. Ensuring safety and security at these medical centers can be complicated because VA has to balance the treatment and care of veterans—a vulnerable population with high rates of post-traumatic stress disorder and substance abuse—while also maintaining order and enforcing the law. Officers may need to use physical force to help bring a violent or hostile situation under control. This statement focuses on how VA manages and oversees (1) the physical security of medical centers and (2) use of force incidents by police officers. The statement is primarily based on GAO-18-201, issued in January 2018, and GAO-20-599, issued in September 2020. To update this information, GAO reviewed documentation and interviewed VA officials on actions taken to address these reports’ recommendations.
- Department of Justice Issues Statement Regarding Decision in Skyworks v. CDC
March 12, 2021More from: March 12, 2021 [Read More…]
- Former Union Official Sentenced for Violent Extortion
May 3, 2021An Indiana man and former business agent of Iron Workers Local 395 was sentenced today to more than four years in prison for conspiracy to commit Hobbs Act extortion.
- Hungary Travel Advisory
March 24, 2022Do not travel to Hungary [Read More…]
- Deputy Secretary Sherman’s Call with French, German, Italian and UK Counterparts
January 28, 2022
- U.S.-Europe Joint Statement on Afghanistan
January 27, 2022
- U.S. Actions Against Former Honduran President Juan Orlando Hernandez for Corruption
February 7, 2022
- Oil and Gas Leasing: BLM Should Update Its Guidance and Review Its Fees
December 9, 2021What GAO Found The Department of the Interior’s Bureau of Land Management (BLM), which leases federal lands for oil and gas development, has changed some of its leasing policies. For example, starting in fiscal year 2015, BLM was authorized to use online auctions, instead of in-person auctions, to award leases. In 2016, BLM launched an online system for submitting and processing nominations of lands for leasing. However, all of the agency’s guidance documents for oil and gas leasing that GAO reviewed were out of date and did not fully reflect these changes, though agency policy requires guidance be updated promptly. Unless BLM reviews and revises its process for updating its guidance, the agency’s outdated guidance may continue to lead to inefficiencies for industry and BLM state office staff that spend extra time interpreting outdated BLM guidance. Parties, such as oil and gas companies, leased a small portion of lands nominated for onshore oil and gas leasing from 2009 through 2019, when about 87 million acres were nominated and about 14 million acres were leased (see figure). Acreage Nominated, Offered for Lease, and Leased for Federal Onshore Oil and Gas Development, 2009 through 2019 BLM has not fully reviewed its application fees for oil and gas leases since 2005 despite changes to leasing that could affect program costs, such as the move from in-person to online auctions. BLM has conducted biennial reviews of its existing fees, but these reviews do not assess all of the costs the fees were intended to recover. Until BLM revises its approach to examine all relevant costs and adjusts fees accordingly, the agency may collect too much or too little in fees. In addition, BLM does not charge a fee to nominate lands for leasing and has not re-examined whether to charge such a fee since 2014. Without doing so, BLM risks continuing to expend resources to process nominations that do not result in leases. In addition, the agency may not strike the appropriate balance between encouraging nominations and controlling costs. Why GAO Did This Study BLM leases federal lands for oil and gas development through a process largely established with the Federal Onshore Oil and Gas Leasing Reform Act of 1987. Through this process, the public can suggest which federal lands should be made available for leasing by nominating them. BLM state offices review nominations, including to assess potential environmental impacts. BLM then offers leases at competitive auctions. While no fee is required to submit nominations, BLM charges an application fee for any leases that parties acquire. GAO was asked to review oil and gas leasing on federal lands. This report examines: (1) changes to BLM’s policies for oil and gas leasing since 1987, (2) outcomes for lands nominated for oil and gas leasing, and (3) the extent to which BLM reviews its oil and gas leasing fees in response to changing conditions. GAO analyzed BLM policies and guidance as well as data on nominations, leasing, costs, and fees collected. GAO also interviewed BLM headquarters and state office officials as well as representatives of two stakeholder groups.
- Judiciary Report Underscores Commitment to Civics Education
In U.S CourtsAugust 26, 2020Federal courts are approaching the 2020-2021 academic year with an endorsement of volunteer civics education efforts by judges and a willingness to support teachers in bringing the human face of the Judiciary into their civics and government classes, whether students are at home or in school.
- Biodefense: After-Action Findings and COVID-19 Response Revealed Opportunities to Strengthen Preparedness
August 4, 2021What GAO Found Key federal agencies, including the Departments of Homeland Security (DHS), Defense (DOD), Health and Human Services (HHS), and Agriculture (USDA), developed a range of interagency response plans to prepare for nationally significant biological incidents. These strategic, operational, and tactical level plans address responding to a broad spectrum of biological threats, including those that are intentional, accidental, or naturally occurring. DHS, DOD, HHS, and USDA conducted numerous interagency exercises to help prepare for and respond to a wide variety of biological incidents, such as anthrax attacks, influenza pandemics, and diseases affecting plants and animals. Specifically, GAO identified 74 interagency biological incident exercises conducted from calendar years 2009 through 2019. Number of Interagency Biological Incident Exercises Conducted, Calendar Years 2009 through 2019 GAO’s analysis of after-action reports for selected interagency biological incident exercises and real-world incidents, as well as the COVID-19 response, identified long-standing biodefense challenges. GAO found that the nation lacked elements necessary for preparing for nationally significant biological incidents, including a process at the interagency level to assess and communicate priorities for exercising capabilities. Further, it determined that agencies do not routinely work together in monitoring results from exercises and real-world incidents to identify patterns and root causes for systemic challenges. Assessing and communicating exercise priorities and routinely monitoring the results of the exercises and incidents will help ensure the nation is better prepared to respond to the next biological threat. Why GAO Did This Study The COVID-19 pandemic shows how catastrophic biological incidents can cause substantial loss of life, economic damage, and require a whole-of-nation response involving multiple federal and nonfederal entities. The 2018 National Biodefense Strategy outlines specific goals and objectives to help prepare for and respond to such incidents. The CARES Act includes a provision for GAO to conduct monitoring and oversight of federal efforts to prepare for, respond to, and recover from COVID-19. This report addresses: (1) interagency plans key federal agencies developed, and exercises they conducted, to help prepare for biological incidents; and (2) the extent to which exercises and real-world incidents revealed opportunities to better achieve National Biodefense Strategy objectives. GAO reviewed biological incident plans and after-action reports from exercises and real-world incidents from calendar years 2009 through 2019, including a non-generalizable sample of 19 reports selected based on threat scenario and other factors. GAO interviewed federal and state officials to obtain their perspectives on plans, exercises, and the COVID-19 response.