Sangria Tempest (also known as FIN7) is a sophisticated threat actor group that targets organisations in the banking, retail, and hospitality sectors, for the purposes of financial gain.

The group was initially identified in 2016. However, discrepancies exist with regards to classifying the group as a legitimate advanced persistent threat (APT) group or a cybercriminal group, more generally. The disagreement seems to have been the result of Sangria Tempest being attributed to a cluster of operations that has overlapped with other groups such as Cobalt Gang. It is possible that Sangria Tempest is actually the same as the Carbanak group, due to the similarities that exist within their choice of tactics. It also remains a possibility that both groups collaborate closely with one another.

Sangria Tempest is motivated by securing financial credentials and related data. Their methods of intrusion have developed since the group’s inception and include specially crafted phishing emails and documents, obfuscating hidden LNK shortcut files in DOCX and RTF documents, exploitation of both PowerShell commands and Microsoft Dynamic Data Exchange (DDE), and infiltrating Point of Sale (POS) systems in retail stores. However, it is almost certainly the case that their motivation of financial gain is to be identified as the constant factor throughout the distribution of their campaigns.

Download this report