• Commander Saini

COBALT – An Organised Cybercriminal Group

**Audience : IT Professionals & Cyber Security Professionals


In March 2018 when Spanish police arrested the alleged leader “Denis K.” of the Carbanak/Cobalt/FIN7’s cybercrime group, it was presumed that it would close down one of the biggest organised Cyber Crime group. It was estimated that at the time of the group leader's arrest they had stolen more than $1.2 billion from 100-plus banks across 40 countries since 2013. In August 2018, the US Department of Justice announced that three additional high-level leaders of the organization – Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30 – were in custody and had been indicted. But the ground reality is the Cobalt 2.0 is back.

Its victim included Banks and retail super-marts. Supermarkets with weak cyber security controls are the natural places to steal card credentials.

Cobalt follows military like the rigid procedure for hacking. They are meticulous in planning; once the target is identified a prolonged reconnaissance is launched; all processes, procedures and devices of the victim are studied including ATM systems, card processing systems and the international interbank payment messaging system SWIFT before executing attacks.

Their first major attack technique was jackpotting, where the victim ATM machine is infected with malware. At a pre-determined time, the ATM machine spews - out all the cash it is holding. A money mule is positioned at the appropriate time to collect the cash and transfer it to the Cobalt in bitcoins. The failure rate was reasonably high; hence this technique is now not in used. The banks fell to this attack of Cobalt were from Taiwan, Russia, the U.K., the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia and Malaysia.

The next version of the attack was to exploit poor procedural links between Banking internal systems and SWIFT inter-banking system. (Nirav Modi had also exploited some of these procedural flaws). The most infamous heist was an attempt to steal nearly $1 billion from the New York Federal Reserve account of the central bank of Bangladesh. Criminal succeeded in stealing $80 million.

Social Engineering is the most potent tools in any hacker/cybercriminal armoury. Threat or Lure works most of the time. One of the examples used by Cobalt Cyber Criminal Syndicate is a spear-phishing mail to a targeted bank employee. It is as if from Kaspersky Lab. As there is nothing to reply in the main text; hence, the victim may feel confident to click on the link to see the content of the letter. This immediately infects the victim's system and Coblnt -a backdoor to Cobalt Command and Control Centre s established.


A sample of spear-phishing email.


Unlike most other cybercriminals, Cobalt does exploit the backdoor immediately but use it for further reconnaissance. More victims are created in the targeted bank. This continues till the cybercriminal syndicate have excellent internal information of its victim bank. Only then a full-fledged attack is launched, and a huge sum of money is syphoned off while keeping the transaction below the radar and without actuating any alarm.

Russian and Romanian banks are the latest victims.


Sources:

<https://www.zdnet.com/article/notorious-cyber-crime-gang-behind-global-bank-hacking-spree-returns-with-new-attacks/>

<https://www.bankinfosecurity.com/billion-euro-cybercrime-gang-reboots-after-arrest-a-11037>

<https://www.difesaesicurezza.com/en/cyber-en/the-cybercrime-group-carbanak-aka-cobalt-and-fin7-is-not-yet-defeated/>