27 March 2018

Group-IB: After Arrest of Its Leader, Cobalt Group Continues to Strike

Group-IB, the leading provider of intelligence-driven cyber-security, has reported that in spite of the arrests of the Cobalt gang leader and malware writer Cobalt has continued to strike.

The arrest of the Cobalt gang leader in Alicante (Spain) has not yet led to the conclusion of attacks against financial institutions from this targeted attack group. On the morning of March 26 (approximately 11:00 MSK time), Group-IB’s Computer Emergency Response Team identified spear phishing emails which were sent by Cobalt acting as SpamHaus, a well-known non-profit organization that fights against spam and phishing. The letter sent to targets from j.stivens@spamhuas.com (the real domain of «Spamhaus» is spamhaus.org), claimed that the IP addresses of the target company were blocked due to suspicions of sending spam. In order to «solve» the problem, the authors of the letter invited the victim to follow the link: leading to the download of a Microsoft Office document which was in fact malware. After analysing the structure of the attack, specialists from the malware analysis department confirmed that Cobalt is behind the campaign.

Cobalt is one of the most active criminal groups, responsible for targeted attacks on banks. According to Europol, the group has stolen approximately one billion euros from 100 banks in 40 countries. On March 26, Europol reported a large-scale operation was conducted by the Spanish National Police with the support of Europol, the FBI, and law enforcement agencies of Romania, Taiwan and the Republic of Belarus. As a result, the leader of Cobalt was detained in Spain, and the author of Cobalt malware was arrested by Ukrainian authorities in the Ukraine.

We do not rule out the theory that the remaining members will continue to conduct operations for a period of time with the goal of showing that the individuals arrested were not associated with the group. Given the arrest of the Cobalt Group’s leader, such campaigns will soon subside and the most likely scenario is that remaining Cobalt members will join existing groups or a fresh „redistribution“ will result in a new cybercriminal organization attacking banks across the world. In any event, this Group was a worthy adversary in terms of tools and tactics that was brought to justice.

Dmitry Volkov

Dmitry Volkov

Group-IB’s CTO, Head of Threat Intelligence Department

Since 2016, Cobalt has successfully attacked banks in Russia, the United Kingdom, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia, Taiwan, Malaysia and other countries. Group-IB forensic specialists were amongst the first to investigate Cobalt’s attacks on Russian and foreign banks and in November 2016 issued a public report on the activities of the group.

Initially, hackers specialized in logical attacks on ATMs. In addition to ATM management systems, the Cobalt group attempted to access payment gateways and card processing systems. Additionally, At the end of 2017, for the first time in the financial institution history in Russia, they made a successful attack on a bank using the system of interbank transfers (SWIFT). The Central Bank of Russia considered Cobalt the main threat to the Russian financial industry.

For a considerable time, Cobalt’s «secret of success» consisted in the fact that the hackers of the group constantly tested new tools and schemes, often changing the location of attacks and familiarizing themselves with how the bank worked. After gaining access to computers on a target bank, Cobalt often spent two to four weeks to study the internal infrastructure of the organization, observes the working process, and only then conducting their attack.

It is also worth noting that the group did not only target banks, but also software development, media and insurance companies. The group would gain access to these third parties and subsequently conduct attacks on banks increasing their probability of success.

It is great to see such cooperation from international law enforcement and the private industry to bring such a group to justice. Group-IB will be ready and monitoring for signs of future activities from targeted attack groups impacting the banking sector.

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident