TIARAS - FIN5

Threat Actor Profile

High APT

Description

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)

Confidence Score

90%

Known Aliases

FIN5

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (11)

T1074.001 - Local Data Staging

Collection

T1119 - Automated Collection

Collection

T1090.002 - External Proxy

Command and Control

T1110 - Brute Force

Credential Access

T1070.001 - Clear Windows Event Logs

Defense Evasion

T1070.004 - File Deletion

Defense Evasion

T1078 - Valid Accounts

Defense Evasion

T1018 - Remote System Discovery

Discovery

T1059 - Command and Scripting Interpreter

Execution

T1133 - External Remote Services

Persistence

T1588.002 - Tool

Resource Development

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': ['FIN5'],
 'created': '2018-01-16T16:13:52.465Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[FIN5](https://attack.mitre.org/groups/G0053) is a '
                'financially motivated threat group that has targeted '
                'personally identifiable information and payment card '
                'information. The group has been active since at least 2008 '
                'and has targeted the restaurant, gaming, and hotel '
                'industries. The group is made up of actors who likely speak '
                'Russian. (Citation: FireEye Respond Webinar July 2017) '
                '(Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: '
                'DarkReading FireEye FIN5 Oct 2015)',
 'external_references': [{'external_id': 'G0053',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0053'},
                         {'description': '(Citation: FireEye Respond Webinar '
                                         'July 2017) (Citation: Mandiant FIN5 '
                                         'GrrCON Oct 2016) (Citation: '
                                         'DarkReading FireEye FIN5 Oct 2015)',
                          'source_name': 'FIN5'},
                         {'description': 'Scavella, T. and Rifki, A. (2017, '
                                         'July 20). Are you Ready to Respond? '
                                         '(Webinar). Retrieved October 4, '
                                         '2017.',
                          'source_name': 'FireEye Respond Webinar July 2017',
                          'url': 'https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html'},
                         {'description': 'Bromiley, M. and Lewis, P. (2016, '
                                         'October 7). Attacking the '
                                         'Hospitality and Gaming Industries: '
                                         'Tracking an Attacker Around the '
                                         'World in 7 Years. Retrieved October '
                                         '6, 2017.',
                          'source_name': 'Mandiant FIN5 GrrCON Oct 2016',
                          'url': 'https://www.youtube.com/watch?v=fevGZs0EQu8'},
                         {'description': 'Higgins, K. (2015, October 13). '
                                         'Prolific Cybercrime Gang Favors '
                                         'Legit Login Credentials. Retrieved '
                                         'October 4, 2017.',
                          'source_name': 'DarkReading FireEye FIN5 Oct 2015',
                          'url': 'https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?'}],
 'id': 'intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022',
 'modified': '2025-04-25T14:49:23.588Z',
 'name': 'FIN5',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Walker Johnson'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.2'}

Quick Actions

Related TTPs (11)

Local Data Staging
Collection

Automated Collection
Collection

External Proxy
Command and Control

Brute Force
Credential Access

Clear Windows Event Logs
Defense Evasion

View All 11 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Known Aliases

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (11)

T1074.001 - Local Data Staging

T1119 - Automated Collection

T1090.002 - External Proxy

T1110 - Brute Force

T1070.001 - Clear Windows Event Logs

T1070.004 - File Deletion

T1078 - Valid Accounts

T1018 - Remote System Discovery

T1059 - Command and Scripting Interpreter

T1133 - External Remote Services

T1588.002 - Tool

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (11)

Please wait…