Group-IB, the leading provider of intelligence-driven cyber-security, has reported that in spite of the arrests of the Cobalt gang leader and malware writer Cobalt has continued to strike.
The arrest of the Cobalt gang leader in Alicante (Spain) has not yet led to the conclusion of attacks against financial institutions from this targeted attack group. On the morning of March 26 (approximately 11:00 MSK time), Group-IB’s Computer Emergency Response Team identified spear phishing emails which were sent by Cobalt acting as SpamHaus, a well-known non-profit organization that fights against spam and phishing. The letter sent to targets from firstname.lastname@example.org (the real domain of «Spamhaus» is spamhaus.org), claimed that the IP addresses of the target company were blocked due to suspicions of sending spam. In order to «solve» the problem, the authors of the letter invited the victim to follow the link: leading to the download of a Microsoft Office document which was in fact malware. After analysing the structure of the attack, specialists from the malware analysis department confirmed that Cobalt is behind the campaign.
Cobalt is one of the most active criminal groups, responsible for targeted attacks on banks. According to Europol, the group has stolen approximately one billion euros from 100 banks in 40 countries. On March 26, Europol reported a large-scale operation was conducted by the Spanish National Police with the support of Europol, the FBI, and law enforcement agencies of Romania, Taiwan and the Republic of Belarus. As a result, the leader of Cobalt was detained in Spain, and the author of Cobalt malware was arrested by Ukrainian authorities in the Ukraine.
Group-IB’s CTO, Head of Threat Intelligence Department
Since 2016, Cobalt has successfully attacked banks in Russia, the United Kingdom, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia, Taiwan, Malaysia and other countries. Group-IB forensic specialists were amongst the first to investigate Cobalt’s attacks on Russian and foreign banks and in November 2016 issued a public report on the activities of the group.
Initially, hackers specialized in logical attacks on ATMs. In addition to ATM management systems, the Cobalt group attempted to access payment gateways and card processing systems. Additionally, At the end of 2017, for the first time in the financial institution history in Russia, they made a successful attack on a bank using the system of interbank transfers (SWIFT). The Central Bank of Russia considered Cobalt the main threat to the Russian financial industry.
For a considerable time, Cobalt’s «secret of success» consisted in the fact that the hackers of the group constantly tested new tools and schemes, often changing the location of attacks and familiarizing themselves with how the bank worked. After gaining access to computers on a target bank, Cobalt often spent two to four weeks to study the internal infrastructure of the organization, observes the working process, and only then conducting their attack.
It is also worth noting that the group did not only target banks, but also software development, media and insurance companies. The group would gain access to these third parties and subsequently conduct attacks on banks increasing their probability of success.
It is great to see such cooperation from international law enforcement and the private industry to bring such a group to justice. Group-IB will be ready and monitoring for signs of future activities from targeted attack groups impacting the banking sector.