Security News > 2020 > October > FIN11 Spun Out From TA505 Umbrella as Distinct Attack Group
FIN11 is a new designation for a financially motivated threat actor that may previously have been obscured within the activity set and group usually referred to as TA505.
The group now defined by Mandiant Threat Intelligence researchers as FIN11 similarly uses large-scale phishing campaigns, but is primarily defined by its unique use of the CLOP ransomware.
It is possible that some earlier attacks attributed to TA505 were actually undertaken by FIN11 - especially those that used any of the malware now uniquely attributed to FIN11.
"I would think of TA505 as a really big umbrella, while FIN11 is a portion of that activity," she said.
"So, the TA505 attribution isn't necessarily incorrect, it's just another name that other companies use for this activity. We would caution against just saying we attribute that attack to FIN11 because we don't have the technical artifacts. We need to see the full life cycle of the tactics and malware that attackers use within an environment before we would make an attribution." Nevertheless, it is tempting on the basis of this new report to suggest that the Maastricht attack would be better attributed to FIN11 than to TA505.