Cobalt Group, Cobalt Gang
Cobalt Spider is a financially-motivated criminal group responsible for campaigns against financial institutions across a variety of regions, including Russia, Central Asia, Europe, the Middle East, and the Americas.
In 2016, a key individual and several other technical personnel split from CARBON to continue targeting Russia-based financial institutions. CrowdStrike Intelligence has tracked this separate adversary as Cobalt Spider. Cobalt Spider initially used Cobalt Strike in phishing campaigns against financial institutions in the Commonwealth of Independent States (CIS).
The adversary conducts spear phishing campaigns that frequently impersonate financial institutions to deliver a variety of different dropper documents, which in turn install the custom COBINT backdoor.
Cobalt Spider has likely monetized access to financial institutions by conducting ATM cash-outs.
While Cobalt Spider initially targeted Russia and the CIS, almost all 2019 campaigns focused on financial institutions outside of this region. Specifically, most 2019 campaigns targeted companies in Europe, the Middle East, and Central and South America.
- Sends spear phishing messages frequently impersonating financial institutions, to include commercial banks as well as SWIFT and the European Central Bank (ECB).
- Has used Google Drive to host exploit documents
- Created web sites impersonating SWIFT and the ECB, which hosted trojanized updates for the
- Food and Beverage