Cobalt hacker group no longer a threat?

Author : News Agency

Source : 112 Ukraine

One of the most dangerous hacker groups, which has robbed over 100 banks in more than 40 countries, is no longer a threat to the world financial institutions
09:55, 28 March 2018

Read the original text at


Open source

World banks can take a little break now. It seems that they have lost one of the main cyber threats – Cobalt hacker group, which has stolen more than 1 billion dollars from about 100 financial institutions around the world.

Europol has announced the capture of the leader of one of Cobalt, the most dangerous hacker groups, terrorizing banks around the world for the past five years. The detention took place in the Spanish city of Alicante and was the result of a complex three-year investigation conducted by the local police, with the support of the European legal order organizations, the US FBI, Belarusian, Romanian, and Taiwan authorities, as well as private companies engaged in information security sphere.

Related: Court arrests organizer of Avalanche cyber network for two months

Europol does not disclose the name of the detained hacker and his other personal data. Presumably, this will be done during the court hearings if they are open to the public. However, the department does not conceal that the detainee is "from the Russian-speaking world", and Spanish law enforcers even claim that he is a citizen of Ukraine.

According to Spanish Minister of the Interior and Deputy for Seville Juan Ignacio Zoido, a 34-year-old Ukrainian citizen who called himself Denys K., was detained in Alicante, El Mundo reports.

He lived in Spain with his family for about four years (since 2014). During this time he managed to buy a house, two expensive cars, and jewelry.

Related: U.S. intelligence suspects Russia of cyber-attacks on PyeongChang Olympics

The Spanish police have no doubt that this Ukrainian was "the brains" of the Cobalt cyber group: he developed a malicious program, assembled a team, and directed each of the virus attacks against the computer systems of the financial institutions.

In addition, another important function in the group was performed by three more people - two Ukrainians and a Russian. In particular, one of them specialized in linking malicious software, the other - on banks’ computer systems, the last one recruited regional executors, the so-called droppers (persons for withdrawing funds through ATMs).

Related: Russia outraged by Britain’s accusations of cyber-attack on Ukraine

According to the Spanish police, they have been identified already, but not detained yet. Also, 15 droppers were identified, four of them are detained (in Great Britain, Taiwan, Belarus, and Kyrgyzstan).

It is noteworthy that Denys K. does not consider his activity as something bad. During his first court statements, he called himself Robin Hood, who steals money from "bad guys" – banks, not from the ordinary people.

According to Europol, during its existence, Cobalt cybergroup has robbed over 100 banks in more than 40 countries, and the total damage has reached 1 billion euros. "The scale of the losses was extremely significant, for example, the Cobalt program allowed criminals to steal up to 10 million euros at a time," the department stressed.

The geography of the group's fishery is very extensive. Initially, attackers sent phishing emails with infected files to banking institutions of the CIS countries, Eastern Europe, and Southeast Asia, and in 2017, they wrote to banks located in North America, Western Europe, and South America, particularly in Argentina.


Open source

Nevertheless, the main "bad guys," robbed by the hackers of the Cobalt grouping, were the banking institutions of the Russian Federation.

So, for example, in December 2017, using the Cobalt Strike software in Russia, the first attack on the SWIFT financial information transfer system was made. Her victim was the Globex bank, controlled by Vnesheconombank. Then the hackers withdrew an amount equivalent to $ 1 million.

Related: Australia joins US, UK in accusing Russia of NotPetya cyber attack

In total, according to Dmitry Skobelkin, the deputy chairman of the Bank of Russia, the attacks of the Cobalt Strike program cost Russian banks lost over 1.1 billion rubles in 2017. "In total, at least 21 waves of Cobalt Strike attacks were registered in 2017. More than 240 credit organizations were subjected to the attacks, 11 of which were successful," Skobelkin stated in February this year.

No, there were no political motives in the robbery of Russians. Rafael Perez, the commissioner of the anti-cybercrime department of the National Police of Spain, explained that hackers preferred Russian banks, as their defense systems are often obsolete.

According to Europol, Cobalt hacker group has conducted their first operations in 2013, attacking ATMs and other financial infrastructure with the help of Anunak malicious software. Later the software was modified and a version of Carbanak appeared, and after 2016 the cybergroup developed even more sophisticated software - Cobalt Strike.

Related: 36 cyber criminals headed by the Ukrainian indicted in the U.S.

All the attacks had several common features. Hackers sent phishing letters with malicious attachments to employees of financial organizations. When the employee downloaded a malicious program, the criminals received remote control not only over his computer but over the entire internal network of the organization. After that they acted in three schemes:

  1. Gave commands to certain ATMs, so that they began spitting bills at a moment when members of the group were close to them.
  2. Instructed systems of interbank money transfers to transfer money to their accounts.
  3. Changed databases to increase balances on the "right" accounts.

Many people, probably, wonder why we are talking about the elimination of Cobalt, if not all its participants are detained by the law enforcers. The capture of other members of the group is only a matter of time.

Open source

Immediately after the Spanish police announced about the capture of the alleged leader of the cyber group, Ukrainian law enforcement authorities announced the detention of one of his accomplices. It is a 30-year-old resident of Kyiv who has been a member of the group since 2016. He developed and supported the proper operation of malware, which exploited vulnerabilities in the most common software products.

Related: U.S. Senate introduced bill on strengthening cyber aid to Ukraine

Experts believe that those who still walk around free will either create a new criminal grouping, or join the existing ones, but they will not call themselves Cobalt again. The world banks might take a break, but they cannot relax completely. This period of relative calm should be used for strengthening the cyber defense of their computer systems so that subsequent attacks by intruders are not as significant as the damage from the activities of the Cobalt hacker group.


Система Orphus

If you find an error, highlight the desired text and press Ctrl + Enter, to tell about it

see more