Cobalt

Cobalt Gang · Cobalt Spider

General description

The Cobalt cybercrime group has been active since 2016 and it attacks lending and finance organizations in its pursuit of stealing money by breaking into ATMs, card processing and various payment systems (such as SWIFT and the Automated Workstation Client of the Russian Central Bank (AWS-CBR)). It is assumed that several group members were once part of the Carbanak group that existed previously. According to FinCERT, in 2017, losses from Cobalt attacks in Russia exceeded RUB 1 billion. The group continued its activity even after the arrest of one of the group's leaders in 2018. One of the largest scale hacks in which the group was involved targeted the Unistream fast payments system.

Objectives

  • Cash theft

Tools

  • Cobalt Strike
  • CobInt
  • CoolPants
  • ComDll dropper
  • JS backdoor (more_eggs)

Alternative names

  • Cobalt Gang
  • Cobalt Spider
Targeted sectors:
  • The finance sector

Target regions

  • North America
  • Europe
  • Central Asia
  • Southeast Asia

MITRE ATT&CK techniques, used by the group