Cobalt gang – a group of cybercriminals known for its persistence and precision in executing attacks against banks has regrouped, despite the arrest of its alleged leader. An attack conducted by the group was tracked first in June 2016 at a large Russian bank, where they attempted to steal money from ATMs. The attackers infiltrated the bank’s network, gained control over it, compromised the domain administrator’s account, and reached the ATM control server.
Russian threat intelligence firm Group-IB says the Cobalt gang, which may have stolen as much as €1 billion from banks in 40 countries over a two year operation, is back in business. It was observed that the Central Bank of Russia considers the gang to be one of the main threats to the country’s banking system due to it insights into banking systems and complex approach to network infiltration.
Cobalt is known for its meticulous planning when studying ATM systems, card-processing systems and the international interbank payment messaging system SWIFT before executing attacks. See below a snapshot of the group’s attack stages:
Figure 1: the Cobalt group’s stages of attack (Source: www.group-ib.com)
Spanish police announced that they arrested a Ukrainian national identified only as “Denis K.” in March while Spanish authorities alleged that Denis K. had laundered much of the money stolen by the Cobalt gang, and converted it into bitcoin cryptocurrency. Denis K. had allegedly amassed 15,000 bitcoins, which at the time were worth $119 million (Source: bankinfosecurity.com).
Despite Denis K.’s arrest, Cobalt’s remaining members seems to be regrouping to continue their activities, based on a phishing campaign launched last week. The gang sometime referred to as either “Anunak” or “Carbanak” gang. The names referring to two strains of malware developed by the group – has been tied to attacks involving both Carbanak as well as Cobalt malware. Experts also had compared the malwares noting possible similarities and concluded that they may be from same source. Anunak malware first appeared in 2013, and later developed into a more sophisticated strain called Carbanak, which remained in use in 2016.
Figure 2: Evolution of Carbanak and Cobalt (Source: Europol)
Group-IB has noted that the remaining Cobalt members may join existing groups or a fresh ‘redistribution’ will result in a new cybercriminal organization – ‘Cobalt 2.0’ – which may continue attacks on banks worldwide.
Cobalt Gang’s Modus Operandi
Besides having money mules pick up the cash from ATMs, the crooks also had these tricks up their sleeves:
Group-IB says Cobalt’s latest activity falls along the same line, based on a spear-phishing campaign it saw launch on Wednesday that focuses on Russia, other Russian Commonwealth countries and possibly also western financial institutions. “Interestingly, the spear-phishing emails were designed to appear [to be from] a large anti-virus vendor,” Also, the spear-phishing emails spoofed companies including Kaspersky Lab, IBM, Verifon and the anti-spam nonprofit Spamhaus, Group-IB says.
The spoofed Kaspersky Lab email came from a bogus domain that Group-IB says was registered by someone who used the same registrant name that’s been tied to domains used in other Cobalt attacks. The emails warn that the user has violated a law and should download a letter. Clicking the link then launches an attack that tries to install a Trojan, called “Coblnt.” Group-IB says it believes that members of both the Cobalt and Carbanak gangs have been jointly running these operations.
It is worthy of note that subnets are soft targets. Many organization including financial institutions with reasonable information security programs normally invest in technology to control external unauthorized access but consider their isolated subnets to be safe. However, all of these subnets are controlled by people, and there is practically always access to a secure subnet from an unsecured one, even if it’s just from one computer with a unique account. Just like most hackers, this is exactly what cobalt hackers will be looking for.
It is a known fact that it takes bad guys between two and six weeks to gain access to critical infrastructure. This means that the infosec specialists have an average of four weeks to identify attackers on a network. Anti-virus solutions do not help, the only thing that can help here the dept of knowledge of how, who, and with what tools hackers are attacking. That’s why, it is critical to update software in a timely manner and study reports from Threat Intelligence specialists that provide indicators of compromise and modern hacking techniques.