By Christopher Bing and Karen Freifeld
WASHINGTON (Reuters) - Three Ukrainians have been arrested on criminal hacking charges including stealing payment card numbers, in attacks on more than 100 U.S. companies that cost businesses tens of millions of dollars, the U.S. Justice Department said on Wednesday.
U.S. prosecutors alleged that the three Ukrainians, who were arrested in Europe between January and June, are members of FIN7, a notorious cybercrime gang.
Victims include the Chipotle Mexican Grill, Emerald Queen Hotel and Casino in Washington state, Jason's Deli, Red Robin Gourmet Burgers, Sonic Drive-in and Taco John's, according to the Justice Department. The Emerald Queen stopped the attack and no customer data was stolen, prosecutors said in a press release.
FIN7 has previously been linked to breaches of Trump Hotels, Whole Foods, Saks Fifth Avenue and Lord & Taylor, according to cyber security firm Trend Micro.
One of the three defendants, Fedir Hladyr, 33, has been transferred to Seattle from Dresden, Germany, where he was arrested. Authorities said they are seeking the extradition of the other two: Dmytro Fedorov, 44, and Andrii Kolpakov, 30.
Hladyr has pleaded not guilty and denies wrongdoing, according to his attorney, Arkady Bukh.
"There is no clear decision at this time whether (we) will go to trial or will consider a plea," Bukh said via email.
Reuters could not reach lawyers for the other two.
The three stole and sold payment card numbers and other data belonging to U.S. citizens and businesses, Assistant Attorney General Brian Benczkowski said in a statement.
FIN7 sent "phishing" emails to companies, sometimes following up with phone calls urging employees to open tainted attachments, the indictments said.
Ukrainian officials could not be reached for comment.
FIN7, also widely known as Carbanak, employs dozens of individuals who handle highly specialized tasks such as breaking into networks, stealing payment card numbers and selling stolen data on underground criminal forums, said Adrian Nish, head of threat intelligence with BAE Systems.
The defendants used a front company named "Combi Security" that claims to have offices in Moscow, Haifa and Odessa, to launch some intrusions, according to court documents.
Combi Security's website describes it as an expert "in the field of comprehensive protection of large information systems from modern cyber threats."
Cybersecurity firm FireEye said it found job advertisements for Combi Security posted to several different Russian, Ukrainian and Uzbek job recruitment websites.
FIN7 stole more than 15 million customer card records from U.S. businesses and also targeted companies in Australia, France and the United Kingdom, according to U.S. prosecutors.
(Reporting by Christopher Bing and Karen Freifeld in Washington; Additional reporting by Pavel Polityuk in Kiev; Writing by Diane Bartz; Editing by David Gregorio, Bill Trott and Jim Finkle)