'Cobalt Group' launches new campaign against banks in Romania, Russia

(Getty Images)


Written by

A cash-hungry hacking ring known as the Cobalt Group is continuing to aggressively target banks despite the arrest of its alleged mastermind in March, new research shows.

The cybercrime gang, which researchers have tracked since 2016, gained infamy for alleged attacks on the SWIFT banking-transaction system  that reportedly have cost millions of dollars. Now it has two more banks in Russia and Romania in their sights, according to ASERT, the threat intelligence group of Netscout’s Arbor Networks.

The hackers have gone after the two banks with spearphishing emails that mimic the banks’ vendors.

“ASERT believes Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi,” the researchers wrote, describing the activity as ongoing.

ASERT spotted the activity on Aug. 13, five months after Spanish police arrested the group’s alleged ringleader. That the group is still pugnaciously trying to infect financial institutions is testament to its resilience.

With cybercriminal groups like the Cobalt Group, “you arrest one person and another rears up in [his or her] place,” Richard Hummel, threat research manager with Arbor Networks, told CyberScoop. “Where there’s a vacuum, somebody is going to fill it,”

Two malware samples point to the Cobalt Group’s involvement in the new campaign, according to ASERT, including a JavaScript backdoor that could be used to launch additional payloads. And in a likely effort to boost infection rates, one of the phishing emails sent by the hackers has two malicious links: a “weaponized” Word document and a JPEG file.

“Those backdoors are being used for initial footholds,” Hummel said. “So this may or may not be their endgame.” He said ASERT had not seen any evidence that the two banks’ networks had been breached, only that they had been targeted.

ASERT researchers recommended that bank employees be “trained to spot phishing emails and, where possible, closely inspect emails for look-alike domains that might contain malicious attachments or links.”

Financial cybercrime dies hard

The new research on the Cobalt Group comes less than two weeks after the the Justice Department announced the arrest of three alleged members of FIN7, another well-known, financially-motivated hacking group with global reach.

In a few short years, the prolific FIN7 criminals have caused considerable financial havoc, stealing more than 15 million payment-card records in the United States, according to the Justice Department.

There is some overlap in the publicly-available hacking tools used by the two groups, such as Cobalt Strike Beacon and Mimikatz, according to Kimberly Goody, FireEye’s manager of financial crime analysis. “However, the use of these tools is highly common, and we’ve seen them used by both financially-motivated and nation-state actors and therefore their use alone is not sufficient for attribution purposes,” Goody told CyberScoop.

Another distinction between the groups is that FIN7 is known for its sweeping theft of card payment data, whereas the Cobalt Group has tended to go after financial institutions through ATM “jackpotting” and by targeting SWIFT transfers, she added.

Nonetheless, the groups will likely continue to be linked in the public consciousness because of their resilience and financial ambitions. Like the Cobalt Group, FIN7 has been undeterred by high-profile arrests of its members.

“It is widely believed that the core [FIN7] group consists of at least a dozen individuals and the recent arrests mostly affected the group’s money laundering network, rather than its offensive operations,” Andrei Barysevich, director of advanced collection at cybersecurity company Recorded Future, told CyberScoop. “And while the law enforcement is likely to learn more about the group’s operations as arrestees continue cooperating with the law enforcement, it is too soon to claim a victory, and more attacks will inevitably come. ”

As for the Cobalt Group, Hummel expects the group to continue to evolve and pose a threat to financial institutions. As he pointed out, criminal hacking groups can learn from each other’s tactics. “I don’t think they’re going anywhere,” he said of the Cobalt Group.

Correction, 8/31A previous version of this article incorrectly attributed the new malware campaign to a group known as FIN 7. While there is some overlap in the public hacking tools used by Cobalt Group and FIN 7, they are in fact separate and distinct groups. 


-In this Story-

banking, Carbanak, cybercrime, FIN7, international, Romania, Russia, spearphishing, SWIFT