Group-IB: After Arrest of Its Leader, Cobalt Group Continues to Strike

Group-IB, the leading provider of intelligence-driven cyber-security, has reported that in spite of the arrests of the Cobalt gang leader and malware writer Cobalt has continued to strike.

The arrest of the Cobalt gang leader in Alicante (Spain) has not yet led to the conclusion of attacks against financial institutions from this targeted attack group. On the morning of March 26 (approximately 11:00 MSK time), Group-IB’s Computer Emergency Response Team identified spear phishing emails which were sent by Cobalt acting as SpamHaus, a well-known non-profit organization that fights against spam and phishing. The letter sent to targets from j.stivens@spamhuas.com (the real domain of «Spamhaus» is spamhaus.org), claimed that the IP addresses of the target company were blocked due to suspicions of sending spam. In order to «solve» the problem, the authors of the letter invited the victim to follow the link: leading to the download of a Microsoft Office document which was in fact malware. After analysing the structure of the attack, specialists from the malware analysis department confirmed that Cobalt is behind the campaign.

Cobalt is one of the most active criminal groups, responsible for targeted attacks on banks. According to Europol, the group has stolen approximately one billion euros from 100 banks in 40 countries. On March 26, Europol reported a large-scale operation was conducted by the Spanish National Police with the support of Europol, the FBI, and law enforcement agencies of Romania, Taiwan and the Republic of Belarus. As a result, the leader of Cobalt was detained in Spain, and the author of Cobalt malware was arrested by Ukrainian authorities in the Ukraine.

We do not rule out the theory that the remaining members will continue to conduct operations for a period of time with the goal of showing that the individuals arrested were not associated with the group. Given the arrest of the Cobalt Group’s leader, such campaigns will soon subside and the most likely scenario is that remaining Cobalt members will join existing groups or a fresh „redistribution“ will result in a new cybercriminal organization attacking banks across the world. In any event, this Group was a worthy adversary in terms of tools and tactics that was brought to justice.

Dmitry Volkov

Group-IB’s CTO, Head of Threat Intelligence Department

Since 2016, Cobalt has successfully attacked banks in Russia, the United Kingdom, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia, Taiwan, Malaysia and other countries. Group-IB forensic specialists were amongst the first to investigate Cobalt’s attacks on Russian and foreign banks and in November 2016 issued a public report on the activities of the group.

Initially, hackers specialized in logical attacks on ATMs. In addition to ATM management systems, the Cobalt group attempted to access payment gateways and card processing systems. Additionally, At the end of 2017, for the first time in the financial institution history in Russia, they made a successful attack on a bank using the system of interbank transfers (SWIFT). The Central Bank of Russia considered Cobalt the main threat to the Russian financial industry.

For a considerable time, Cobalt’s «secret of success» consisted in the fact that the hackers of the group constantly tested new tools and schemes, often changing the location of attacks and familiarizing themselves with how the bank worked. After gaining access to computers on a target bank, Cobalt often spent two to four weeks to study the internal infrastructure of the organization, observes the working process, and only then conducting their attack.

It is also worth noting that the group did not only target banks, but also software development, media and insurance companies. The group would gain access to these third parties and subsequently conduct attacks on banks increasing their probability of success.

It is great to see such cooperation from international law enforcement and the private industry to bring such a group to justice. Group-IB will be ready and monitoring for signs of future activities from targeted attack groups impacting the banking sector.

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.