phone  +234 806 719 1062

Cybercrime Gang – Cobalt – Reinforces for Another Round of Havoc

Cobalt gang – a group of cybercriminals known for its persistence and precision in executing attacks against banks has regrouped, despite the arrest of its alleged leader. An attack conducted by the group was tracked first in June 2016 at a large Russian bank, where they attempted to steal money from ATMs. The attackers infiltrated the bank’s network, gained control over it, compromised the domain administrator’s account, and reached the ATM control server.

Russian threat intelligence firm Group-IB says the Cobalt gang, which may have stolen as much as €1 billion from banks in 40 countries over a two year operation, is back in business. It was observed that the Central Bank of Russia considers the gang to be one of the main threats to the country’s banking system due to it insights into banking systems and complex approach to network infiltration.

Cobalt is known for its meticulous planning when studying ATM systems, card-processing systems and the international interbank payment messaging system SWIFT before executing attacks. See below a snapshot of the group’s attack stages:

Figure 1: the Cobalt group’s stages of attack (Source:

Spanish police announced that they arrested a Ukrainian national identified only as “Denis K.” in March while Spanish authorities alleged that Denis K. had laundered much of the money stolen by the Cobalt gang, and converted it into bitcoin cryptocurrency. Denis K. had allegedly amassed 15,000 bitcoins, which at the time were worth $119 million (Source:

Despite Denis K.’s arrest, Cobalt’s remaining members seems to be regrouping to continue their activities, based on a phishing campaign launched last week. The gang sometime referred to as either “Anunak” or “Carbanak” gang. The names referring to two strains of malware developed by the group – has been tied to attacks involving both Carbanak as well as Cobalt malware. Experts also had compared the malwares noting possible similarities and concluded that they may be from same source. Anunak malware first appeared in 2013, and later developed into a more sophisticated strain called Carbanak, which remained in use in 2016.

Figure 2: Evolution of Carbanak and Cobalt (Source: Europol)

Group-IB has noted that the remaining Cobalt members may join existing groups or a fresh ‘redistribution’ will result in a new cybercriminal organization – ‘Cobalt 2.0’ – which may continue attacks on banks worldwide.

Cobalt Gang’s Modus Operandi

  1. Send spear-phishing emails, purporting to come from legitimate companies but bearing malicious attachments, to bank employees.
  2. Once bank employees fell for it and clicked on the attachments, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network.
  3. From there, the attackers infected servers controlling the ATMs. They’d send commands to specific ATMs to spit out cash, and money mules would be waiting to pick it up.

Besides having money mules pick up the cash from ATMs, the crooks also had these tricks up their sleeves:

  1. They use the e-payment network to transfer money into criminal accounts.
  2. Databases with account information were modified so account balances would be inflated, with money mules collecting the money.
  3. They laundered some stolen funds via cryptocurrencies, by means of prepaid cards linked to the cryptocurrency wallets that they used to buy things like luxury cars and houses.

In conclusion

Group-IB says Cobalt’s latest activity falls along the same line, based on a spear-phishing campaign it saw launch on Wednesday that focuses on Russia, other Russian Commonwealth countries and possibly also western financial institutions. “Interestingly, the spear-phishing emails were designed to appear [to be from] a large anti-virus vendor,” Also, the spear-phishing emails spoofed companies including Kaspersky Lab, IBM, Verifon and the anti-spam nonprofit Spamhaus, Group-IB says.

The spoofed Kaspersky Lab email came from a bogus domain that Group-IB says was registered by someone who used the same registrant name that’s been tied to domains used in other Cobalt attacks. The emails warn that the user has violated a law and should download a letter. Clicking the link then launches an attack that tries to install a Trojan, called “Coblnt.” Group-IB says it believes that members of both the Cobalt and Carbanak gangs have been jointly running these operations.

It is worthy of note that subnets are soft targets. Many organization including financial institutions with reasonable information security programs normally invest in technology to control external unauthorized access but consider their isolated subnets to be safe. However, all of these subnets are controlled by people, and there is practically always access to a secure subnet from an unsecured one, even if it’s just from one computer with a unique account. Just like most hackers, this is exactly what cobalt hackers will be looking for.

It is a known fact that it takes bad guys between two and six weeks to gain access to critical infrastructure. This means that the infosec specialists have an average of four weeks to identify attackers on a network. Anti-virus solutions do not help, the only thing that can help here the dept of  knowledge of how, who, and with what tools hackers are attacking. That’s why, it is critical to update software in a timely manner and study reports from Threat Intelligence specialists that provide indicators of compromise and modern hacking techniques. 


Return to Knowledge Centre

We are open for orders. Purchase your professional tool-kits and resources today. Click here Dismiss