← threatfilter.dev / all groups / Cobalt Group

Cobalt Group

Also known as: GOLD KINGSWOOD · Cobalt Gang · Cobalt Spider

Overview

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims. Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.

Capabilities

Supply-chain compromise — ATT&CK T1195.002
Exploitation of public-facing / client applications — ATT&CK T1203
Custom malware/implant development — ATT&CK: 3 attributed custom malware families

TTPs — 34 techniques across 9 tactics

Resource Development

T1588.002 Tool

Tools & malware (6)

Mimikatz · More_eggs · SpicyOmelette · SDelete · Cobalt Strike · PsExec

Reporting (3)

Cobalt Group 2.0 — Gorelik, M
Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish — CTU
Multiple Cobalt Personality Disorder — Svajcer, V

Overview

Capabilities

TTPs — 34 techniques across 9 tactics

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Stealth

Discovery

Lateral Movement

Command and Control

Tools & malware (6)

Reporting (3)