Cobalt: logical attacks on ATMs
Report outlining activity of the Cobalt hacker group attacking banks
in Europe and Asia
Request 
Key facts
Banks of at least 14 countries including Russia, the UK, the Netherlands and Malaysia have suffered the attacks from this criminal group.
The 'touchless jackpotting' technique employed does not involve any physical manipulations of ATMs.
Bank systems are infected using tools that are widely available in public sources.
The shortest time taken to obtain total control over the banking network – 10 minutes.
Discover in detail about
How this attack’s malware spreads through internal banking networks and provides for its survivability.
Functional specifics of the ATM malware used to dispense money on demand.
The attack scheme and roles of group members.
Indicators of Compromise and attack prevention tactics.
Logical attacks on ATMs are expected to become one of the key threats targeting banks: they enable cybercriminals to commit fraud remotely from anywhere globally and attack the whole ATM network without being 'on the radar' of security services. That said, this type of attack does not require development of expensive advanced software – a significant amount of the tools used are widely available on the deep web. Every bank is under threat of logical attacks on ATMs and should be protected accordingly.
Dmitry Volkov
Chief Technical Officer, Сo‑founder Group‑IB
Group-IB research on targeted attack groups
Hi-Tech Crime Trends 2020/2021
Source of strategic data on the global cyber threat landscape and forecasts for its development
UltraRank: the unexpected twist of a JS-sniffer triple threat
New stage in JS-sniffers research. From analyzing malware families to identifying threat actors. For five years, the cybercriminal group UltraRank has conducted campaigns using JS-sniffers and managed to stay unnoticed for the most part.
RedCurl: The pentest
you didn’t know about
Research of the new espionage APT-group RedCurl and its elaborate attacks on enterprise companies in North America, Europe and CIS.
Online Piracy Research:
Jolly Roger’s patrons
Group-IB exposes financial crime network
of online pirates in developing countries.
of online pirates in developing countries.
Fxmsp: “The invisible god of networks”
The evolution of Fxmsp — one of the most notorious and prolific sellers of access to corporate networks on underground forums. Group-IB researchers analyzed Fxmsp’s activity on underground forums for three years and discovered that the threat actor had compromised networks of more than 130 targets.
Hi-Tech Crime Trends 2019/20
Strategic intelligence data on state-sponsored groups, industry-specific cyberthreats, targeted attacks on banks and banking clients.
Attacks by Silence
A comprehensive technical analysis of Silence’s tools, tactics, and evolution. This is the first time Group‑IB’s reports of this kind have been made publicly available.
Thrip
The Chinese hacker group Thrip is known for espionage and sabotage attacks. In particular, they target organizations in the satellite communications sector.
Xenotime
Xenotime, known for its malware called Triton (aka Trisis), had improved its malware and its new version could be used to attack various industrial safety systems.
Hi-Tech Crime Trends 2018
Introducing the research on cybersecurity trends and predictions for the next year. Plan your cybersecurity strategy effectively.
Crime without punishment: in-depth analysis of JS-sniffers
In-depth analysis and new types of a growing threat — JS‑sniffers — designed to steal payment data.
2018 Cryptocurrency Exchanges
Estimation of the number of login and passwords leaks of cryptoсurrency exchanges users and analysis their nature. Recommendations for ensuring security of users and exchanges.
Cobalt: their evolution and joint operations
Learn about Cobalt’s development and modification of tools and tactics which were used to steal approximately 1 billion dollars from over 100 banks in 40 different countries.
Hexane
HEXANE is a new group targeting the industrial sector. Its members have been active since mid-2018, focusing on the Middle East, Central Asia, and Africa.
Chafer
The goal of the group Chafer (aka APT39) is to collect personal data for further user monitoring and tracking operations in support of Iranian national interests.
Silent Cards
APT group from Kenia targeting regional banks.
Hi-Tech Crime Trends 2017
Introducing the research on cybersecurity trends and predictions for the next year. Plan your cybersecurity strategy effectively.
Muddywater
The state-sponsored group MuddyWater gained access to the local network of Korek Telecom, a mobile operator based in Erbil, Iraq.
Lazarus Arisen: Architecture, Techniques and Attribution
Lazarus group targets the largest international banks as well as central banks in various countries.
Winnti
Winnti group has been observed since May 2012. The cybercriminals originate from China. The majority of victims detected to date have been in electronic gaming, multimedia, and Internet content industries, although against technology companies, healthcare and telecom.
Lazarus Arisen: Architecture, Techniques and Attribution
Lazarus group targets the largest international banks as well as central banks in various countries.
LeafMiner
LeafMiner hackers, believed to be based in Iran, use watering hole attacks to infiltrate targeted organizations.
Hi-Tech Crime Trends 2016
Learn about the evolution of cyber crime in 2016 and find out what predictions for 2017 came true. Spoiler: most of them did.
APT33
In late 2018, APT33 (aka Elfin, Magnallium) resumed its attacks using a new variant of the Shamoon Trojan, targeting oil, gas, telecommunications, and energy companies as well as government organizations.
MoneyTaker
This hacker group is noticeable for 1.5 years of silent operations and multiple attacks. They still pose a threat: learn about MoneyTaker techniques and indicators of compromise now.
Buhtrap
From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25 mln.
Lurk
In February 2015, the group stole 150 million rubles ($2,3 million) from a Russian bank. Members of the criminal group were arrested in May 2016.
Analysis of attacks against trading and bank card system
Group-IB annual report on speculative fluctuations of exchange rate and other incidents in 2015 caused by the Trojan program Corkow (Metel).
Anunak: APT against financial institutions
This research includes the findings of Group-IB and Fox‑IT on Anunak (Carbanak) group, which focused its activity on banks and electronic payment systems.
Lazarus Arisen: Architecture, Techniques and Attribution
Lazarus group targets the largest international banks as well as central banks in various countries.
Regin
Regin is a stealthy attack platform that has been used to target organizations across various sectors and countries since at least 2008. It was attributed to US and British intelligence. The malware was reportedly used in attacks targeting EU government networks, telecoms, private companies, and research institutes.
BlackEnergy
BackEnergy is one of the most advanced energy sector-oriented groups and has caused disruptions in energy organizations more than once.
Dragonfly
The group Dragonfly, believed to be sponsored by Russia, focuses on collecting data from energy and industrial facilities.
APT10
Chinese state-sponsored group APT10 conducted the large-scale attack to obtain CDR records belonging to a large telecommunications provider.
Hi-Tech Crime Trends 2020/2021
Source of strategic data on the global cyber threat landscape and forecasts for its development
UltraRank: the unexpected twist of a JS-sniffer triple threat
New stage in JS-sniffers research. From analyzing malware families to identifying threat actors. For five years, the cybercriminal group UltraRank has conducted campaigns using JS-sniffers and managed to stay unnoticed for the most part.
RedCurl: The pentest
you didn’t know about
Research of the new espionage APT-group RedCurl and its elaborate attacks on enterprise companies in North America, Europe and CIS.
Online Piracy Research:
Jolly Roger’s patrons
Group-IB exposes financial crime network
of online pirates in developing countries.
of online pirates in developing countries.
Fxmsp: “The invisible god of networks”
The evolution of Fxmsp — one of the most notorious and prolific sellers of access to corporate networks on underground forums. Group-IB researchers analyzed Fxmsp’s activity on underground forums for three years and discovered that the threat actor had compromised networks of more than 130 targets.
Hi-Tech Crime Trends 2019/20
Strategic intelligence data on state-sponsored groups, industry-specific cyberthreats, targeted attacks on banks and banking clients.
Attacks by Silence
A comprehensive technical analysis of Silence’s tools, tactics, and evolution. This is the first time Group‑IB’s reports of this kind have been made publicly available.
Thrip
The Chinese hacker group Thrip is known for espionage and sabotage attacks. In particular, they target organizations in the satellite communications sector.
Xenotime
Xenotime, known for its malware called Triton (aka Trisis), had improved its malware and its new version could be used to attack various industrial safety systems.
Hi-Tech Crime Trends 2018
Introducing the research on cybersecurity trends and predictions for the next year. Plan your cybersecurity strategy effectively.
Crime without punishment: in-depth analysis of JS-sniffers
In-depth analysis and new types of a growing threat — JS‑sniffers — designed to steal payment data.
2018 Cryptocurrency Exchanges
Estimation of the number of login and passwords leaks of cryptoсurrency exchanges users and analysis their nature. Recommendations for ensuring security of users and exchanges.
Cobalt: their evolution and joint operations
Learn about Cobalt’s development and modification of tools and tactics which were used to steal approximately 1 billion dollars from over 100 banks in 40 different countries.
Hexane
HEXANE is a new group targeting the industrial sector. Its members have been active since mid-2018, focusing on the Middle East, Central Asia, and Africa.
Chafer
The goal of the group Chafer (aka APT39) is to collect personal data for further user monitoring and tracking operations in support of Iranian national interests.
Silent Cards
APT group from Kenia targeting regional banks.
Hi-Tech Crime Trends 2017
Introducing the research on cybersecurity trends and predictions for the next year. Plan your cybersecurity strategy effectively.
Muddywater
The state-sponsored group MuddyWater gained access to the local network of Korek Telecom, a mobile operator based in Erbil, Iraq.
Lazarus Arisen: Architecture, Techniques and Attribution
Lazarus group targets the largest international banks as well as central banks in various countries.
Winnti
Winnti group has been observed since May 2012. The cybercriminals originate from China. The majority of victims detected to date have been in electronic gaming, multimedia, and Internet content industries, although against technology companies, healthcare and telecom.
Lazarus Arisen: Architecture, Techniques and Attribution
Lazarus group targets the largest international banks as well as central banks in various countries.
LeafMiner
LeafMiner hackers, believed to be based in Iran, use watering hole attacks to infiltrate targeted organizations.
Hi-Tech Crime Trends 2016
Learn about the evolution of cyber crime in 2016 and find out what predictions for 2017 came true. Spoiler: most of them did.
APT33
In late 2018, APT33 (aka Elfin, Magnallium) resumed its attacks using a new variant of the Shamoon Trojan, targeting oil, gas, telecommunications, and energy companies as well as government organizations.
MoneyTaker
This hacker group is noticeable for 1.5 years of silent operations and multiple attacks. They still pose a threat: learn about MoneyTaker techniques and indicators of compromise now.
Buhtrap
From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25 mln.
Lurk
In February 2015, the group stole 150 million rubles ($2,3 million) from a Russian bank. Members of the criminal group were arrested in May 2016.
Analysis of attacks against trading and bank card system
Group-IB annual report on speculative fluctuations of exchange rate and other incidents in 2015 caused by the Trojan program Corkow (Metel).
Anunak: APT against financial institutions
This research includes the findings of Group-IB and Fox‑IT on Anunak (Carbanak) group, which focused its activity on banks and electronic payment systems.
Lazarus Arisen: Architecture, Techniques and Attribution
Lazarus group targets the largest international banks as well as central banks in various countries.
Regin
Regin is a stealthy attack platform that has been used to target organizations across various sectors and countries since at least 2008. It was attributed to US and British intelligence. The malware was reportedly used in attacks targeting EU government networks, telecoms, private companies, and research institutes.
BlackEnergy
BackEnergy is one of the most advanced energy sector-oriented groups and has caused disruptions in energy organizations more than once.
Dragonfly
The group Dragonfly, believed to be sponsored by Russia, focuses on collecting data from energy and industrial facilities.
APT10
Chinese state-sponsored group APT10 conducted the large-scale attack to obtain CDR records belonging to a large telecommunications provider.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Advanced protection against cyber threats
Group-IB’s security ecosystem provides comprehensive protection for your IT infrastructure based on our unique cyber intelligence and deep analysis of attacks and incident response.
Threat
Intelligence
Intelligence
Аctionable, finished intelligence to track actors and prevent attacks before they happen
Threat Hunting Framework
Comprehensive solution to protect corporate network, hunt for threats and respond to even the most complex cyber attacks
Fraud Hunting Platform
Client-side fraud and attack prevention system for online banking, working across sessions, platforms and devices
Fraud Hunting Platform
Protection from bots, fraud and data leakage for e‑commerce and web portals