The Bank's Information Security team detected traces of malicious programs and suspicious connections to the server. In order to stop further unauthorized access, the entire bank was blocked from accessing the Internet. This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop.
The day after the attack, Group-IB experts came to the bank's central office and began searching for the source of the attack; ascertaining the stages of its development, causes, and consequences; analyzing the malicious programs; and restoring the chain of events. The computers that were involved in the attack were then examined.
Group-IB forensic specialists immediately understood that they faced a new approach to targeted attacks on banks. They were not wrong. The June incident was a "test" of a new attack technique that the attackers would begin using in July in the CIS, Europe, and Asia. For example, over $2m USD was stolen from 34 ATMs operated by the First Bank, one of Taiwan's largest banks. In october 2016 Group-IB published the report
about the Cobalt group. Now, a year later, this group is continuing to attack banks, which is reported monthly by Group-IB's Threat Intelligence team.
Initially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands directly to the dispenser to issue cash. Then the group shifted to other systems in the bank including card processing, payment systems, SWIFT. Once gaining access to such systems, attackers studied how payments and other financial transactions are conducted to repeat them. That said, the services, such as payment processing systems or SWIFT are not actually hacked or the 'weak point'. The actual vulnerability is the bank and the protection methods against such advanced attacks.
The Cobalt group's attacks are always executed according to the same template. The basic principles of targeted attacks on financial institutions have not changed since 2013 when the Anunak, Corkow, Buhtrap, and Lurk groups began conducting the first attacks on Russian banks. The only thing that has changed is the tools. Attack stages are shown in fig. 1.