Cobalt Hacking Group Still Active Despite Leader's Arrest

Despite its leader's arrest in Spain two months ago, the Cobalt hacker group that's specialized in stealing money from banks and financial institutions has remained active, even launching a new campaign.

"Cobalt is still active: its members continue attacks on financial organizations and other companies worldwide," said Dmitry Volkov, the Chief Technical Officer of Group-IB, the company who detected this new Cobalt operation.

This new campaign was set in motion last week, May 23, when the company's security experts discovered one of Cobalt's phishing emails, aimed at banks in Russia and other former Soviet states.

Campaign disguised as fake Kaspersky security alerts

According to a report that Group-IB plans to release tomorrow but shared with Bleeping Computer, this spear-phishing email was designed to look like a security alert sent out by fellow Russian cyber-security firm Kaspersky Lab.

Victims were urged to access a link to read and answer to a complaint that Kaspersky received about an alleged criminal act supposedly committed by the victim.

The spear-phishing email was an obvious ruse to lure users on a malicious site where they'd be infected with the CobInt trojan, Group-IB says.

CobInt is a malware strain that was historically used only by the Cobalt group, a clear indicator that the rest of the Cobalt members weren't deterred or phased by their leader's arrests, and appear to have no plan of stopping from hacking banks any time soon.

Group returns to targeting Russian banks

Furthermore, the group looks to have returned to attacking Russian banks, after focusing their recent efforts on other Eastern European targets.

Group-IB says that previous attempts to rob Russian banks had been recorded in December 2017, more than five months ago.

The group is known for silently infiltrating bank networks through individual employee accounts, and infecting other computers on the local network until they find a PC that controls financial transactions.

The group, in spite of its leader's arrest, still remains a force to be reckoned with, and one of the most successful hacker groups known to date. Security experts and law enforcement officials estimate the group made more than €1 billion ($1.16 billion), with a hack average of €10 million ($11.6 million) per heist.

Throughout its history, the group has stolen money through various methods, ranging from sending illegal SWIFT transactions to orchestrating ATM cash-outs. More on the group's modus operandi and their history in our previous coverage.

UPDATE [May 29, 2018]: The Group-IB report on Cobalt's latest campaigns is now live. Fellow cyber-security firm Positive Technologies published a similar report as well.