Vertical markets, Breach, Content

Secureworks: Hackers Using APT Tools to Attack Financial Institutions

A cyber gang previously operating in Eastern Europe and Russia is threatening U.S. financial institutions using advanced intrusion tools to aim at high value targets, a new research report said.

Gold Kingswood, also known as Cobalt, is one of a number of advanced persistent threat groups operating similar to a nation-state or espionage cyber group in its apparent resources, expertise and understanding of financial services organizations, Secureworks’ Counter Threat Unit (CTU) researchers said.

Secureworks is a Top 100 MSSP for 2018 and 2017.

So far law enforcement hasn’t dented Gold Kingswood’s operations, the researchers said. Even arrests of alleged Gold Kingswood operators last March hasn’t visibly slowed the group down.

While most cyber crooks chase “everyday scams and high-volume aspect of the criminal threat landscape,” such as stealing bank card credentials and ransomware, more dangerous crews are looking to take down bigger scores, CTU said in a blog post. “Some cybercriminals are setting their aims higher and focusing on much larger fish,” the researchers wrote. “CTU researchers have observed a growing threat from sophisticated threat actors who pursue high-value targets such as banks and financial services companies and have the capability to exploit and monetize access to payment and other financial systems.”

Who is known about Gold Kingswood?

  • It's a “financially motivated” criminal threat group that has successfully attacked financial organizations for at least the last two years.
  • The group uses targeted network intrusion tactics to locate, access, and break into systems that can be monetized.
  • As of March 2018, the threat actors had reportedly stolen approximately $1.2 billion through its global operations.
  • In an attack against the First Commercial Bank of Taiwan, the crew used custom malware specific to the ATM hardware used at the bank. They subsequently dispensed money from the ATMs at a predefined time to money mules waiting at machines.

One of Gold Kingswood’s advanced intrusion tools, referred to by Secureworks' researchers as “SpicyOmelette,” is a JavaScript remote access tool delivered by phishing that uses multiple defense evasion techniques to remain undetected. In one campaign, the mobsters delivered SpicyOmelette through a phishing email containing a shortened link that appeared to be a PDF document attachment. When clicked, the link redirected the system to a Gold Kingswood-controlled Amazon Web Services URL that installed a signed JavaScript file, which was SpicyOmelette, CTU wrote.

“CTU researchers expect Gold Kingswood’s operations and toolset to continue to evolve, and financial organizations of all sizes and geographies could be exposed to threats from this group,” the security unit said. “The threat group’s detailed understanding of financial systems and history of successful campaigns make it a formidable threat.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.