Anti-Phishing, DMARC , Card Not Present Fraud , Email Threat Protection

Cobalt Cybercrime Gang Reboots After Alleged Leader's Bust

Cybercrime Gang Tied to $1 Billion in Losses Has Returned, Group-IB Warns
Cobalt Cybercrime Gang Reboots After Alleged Leader's Bust
Globex Bank's SWIFT systems were targeted by Cobalt in December 2017. (Photo: Globex Bank)

A group of cybercriminals known for its persistence and precision in executing attacks against banks has regrouped despite the arrest of its alleged leader.

See Also: OnDemand: Mobile Apps are the New Endpoint

Russian threat intelligence firm Group-IB says the Cobalt gang, which may have stolen as much as €1 billion ($1.2 billion) from banks in 40 countries over the last two years, is back in business.

Cobalt is known for its meticulous planning when studying ATM systems, card processing systems and the international interbank payment messaging system SWIFT before executing attacks. Group-IB says that the Central Bank of Russia considers the gang to be one of the main threats to the country's banking system.

In March, however, Spanish police announced that they'd arrested a Ukrainian national identified only as "Denis K." Spanish authorities alleged that Denis K. had laundered much of the money stolen by the Cobalt gang, and converted it into bitcoin cryptocurrency. Denis K. had allegedly amassed 15,000 bitcoins, which at the time were worth $119 million (see Spain Busts Alleged Kingpin Behind Prolific Malware).

Despite Denis K.'s arrest, Cobalt's remaining members now appear to have resumed their activities, based on a phishing campaign that first launched last week.

"The most likely scenario is that remaining Cobalt members will join existing groups or a fresh 'redistribution' will result in a new cybercriminal organization - 'Cobalt 2.0' - continuing attacks on banks worldwide," Group-IB says in a report released Monday.

ATM Cash-Out Attacks

Cobalt is known for more than using spear-phishing emails to steal people's financial information. The group has also been tied to a significant July 2016 attack against ATMs operated by First Bank of Taiwan. The bank fell victim to a "jackpotting" - aka cash-out - attack, in which attackers plant malware onto ATMs that enables them to instruct the machines to dispense all of their cash (see Taiwan Heist Highlights ATM Weaknesses).

The campaign compromised dozens of First Bank ATMs, leading to a reported $2.2 million in losses for the bank.

Jackpotting attacks, however, are a risky endeavor for criminals because they require low-level money mules to be dispatched in person to collect money from machines. Many gangs, however, treat money mules as expendable.

"After gaining access to computers on a target bank, Cobalt often spent three to four weeks to study the internal infrastructure of the organization, collecting information about and observing the function of payments systems."
—Group-IB

Indeed, Taiwan later arrested and sentenced three Eastern European men for serving as money mules for the gang. But authorities believe that as many as 19 other individuals involved in the attacks, including higher-level members of the gang, fled the country before they could be apprehended (see Taiwan Sentences Money Mules in ATM Attacks).

The Cobalt gang has been blamed for ATM jackpotting attacks in many countries, including Russia, the U.K., the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia and Malaysia.

But the group eventually seemed to move away from targeting ATMs to instead pursuing payment gateways, card processing systems and fraudulent SWIFT money-moving messages.

"After gaining access to computers on a target bank, Cobalt often spent three to four weeks to study the internal infrastructure of the organization, collecting information about and observing the function of payments systems, and only then conducting their attack," Group-IB says.

Target: SWIFT-Using Banks

Attackers have sought to exploit poor security controls at banks that use SWIFT to create fraudulent transfer requests that result in money sent to accounts they control.

The most notable such incident to date involved attackers attempting to steal nearly $1 billion from the New York Federal Reserve account of the central bank of Bangladesh. The heist, which has been attributed to the cash-strapped government of North Korea, resulted in the theft of $81 million and quickly became a PR disaster for SWIFT (see Bangladesh Bank Heist: Lessons Learned).

Bangladesh Bank headquarters in Dhaka (Photo: Google Street View)

SWIFT, an international cooperative based in Brussels, says it counts more than 11,000 financial institutions across 200 countries and territories that use its interbank messaging system. Following the Bangladesh Bank heist, SWIFT overhauled its approach to security, by increasing the size of its security team, launching a 24/7 security operations center and holding its users to higher security standards.

Fraudulent Money-Moving Messages

Meanwhile, security experts say a number of cybercrime gangs continue to attempt to steal money from banks via fraudulent SWIFT money-moving messages.

The Cobalt gang, for one, displayed an early interest in SWIFT, including a 2016 attack against a bank in Hong Kong. The attack employed JavaScript, planted in an authorization form, that compromised the SWIFT credentials for bank employees. That attack also used "unique" malware that searched for SWIFT payment confirmation messages and transferred those files to attackers, Group-IB says.

Cobalt's interest in SWIFT has continued. Group-IB says last year it found indications that Cobalt was working with the Carbanak group, another well-known cybercrime gang, on more SWIFT-related attacks.

In December 2017, Cobalt launched a SWIFT-related attack in Russia against Globex Bank - the first time such an attack had ever been seen in the country, Group-IB says. Reuters reported in December that attackers attempted to steal 55 million rubles ($940,000) but managed to get away with only $100,000.

"The stolen money was ... withdrawn through SWIFT" and "the fraudulent transactions were conducted manually using a remote connection to the bank," Group-IB says in its report.

Beware Of Phishing Emails

A spear-phishing email sent by Cobalt pretended to be from security firm Kaspersky Lab. (Source: Group-IB)

Most of Cobalt's attacks kick off with a well-known attack vector: spear-phishing emails. By crafting legitimate-looking emails with malicious attachments or links, despite ongoing improvements in spam filtering and domain blacklisting, many of these messages still make it to end users and appear enticing enough to be clicked.

Group-IB says Cobalt's latest activity falls along the same line, based on a spear-phishing campaign it saw launch on Wednesday that focuses on Russia, other Russian Commonwealth countries and possibly also western financial institutions.

"Interestingly, the spear-phishing emails were designed to appear [to be from] a large anti-virus vendor," Group-IB says.

The spear-phishing emails spoofed companies including Kaspersky Lab, IBM, Verifon and the anti-spam nonprofit Spamhaus, Group-IB says.

The spoofed Kaspersky Lab email came from a bogus domain that Group-IB says was registered by someone who used the same registrant name that's been tied to domains used in other Cobalt attacks. The emails warn that the user has violated a law and should download a letter. Clicking the link then launches an attack that tries to install a Trojan, called "Coblnt."

Group-IB says it believes that members of both the Cobalt and Carbanak gangs have been jointly running these operations.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.