Adversary
Carbon Spider
ORIGIN
Russian Federation, Ukraine
Community Identifiers
Carbanak, GOLD KINGSWOOD, FIN7
Carbon Spider is a highly skilled criminal group that primarily targeted the hospitality and retail sectors in pursuit of payment card data.
In May 2021, Colonial Pipeline—operator of 5,500 miles of pipeline from the Gulf Coast to the U.S. East Coast—disclosed a ransomware intrusion and closed down parts of their infrastructure to contain the ransomware attack and begin remediation efforts. The FBI then attributed the ransomware incident to an affiliate of CARBON SPIDER's Darkside Ransomware-as-a-Service. The significance of the ransomware incident prompted responses from CARBON SPIDER who quickly sought to distance themselves from any nation-state affiliations and declared themselves as apolitical. The infection was publicly addressed by U.S. and Russian government officials who both refuted state-nexus involvement and declared the activity as purely financially motivated and criminal in nature.
Active since 2013, the group originally targeted Russian financial institutions, but began to expand their targeting profile in December 2015 to the Middle-East, Europe and the U.S. In mid-2016, indications emerged that the group compromised the cloud-based software solution, Oracle MICROS, which could have been used to conduct malicious operations on users of that solution in the hospitality and retail sectors.
In 2016, part of the group split off to form Cobalt Spider and continue to focus on the financial sector. Carbon Spider primarily relies on spear phishing emails delivering exploit documents, macro documents, or downloader scripts to deliver the custom Harpy backdoor. The adversary uses Harpy to enable persistent access and previously deployed Point-of-Sale (PoS) malware, such as SuperSoft, to harvest card data.
As of June 2020, Carbon Spider has been conducting Big Game Hunting ransomware campaigns. The adversary has used REvil and Darkside for this purpose. In November 2020, Carbon Spider introduced a ransomware-as-a-service (RaaS) affiliate program for Darkside.
Technical Tradecraft
- Spear phishing campaigns deliver macro-enabled Microsoft Office documents; documents often password-protected
- Have used spear phishing links to Google Docs pages containing redirects to downloaders hosted on Microsoft Sharepoint
- Harpy is primary backdoor of choice; Sekur also remains in use and is typically loaded into memory with a proprietary loader
- Introduced embedded child documents to droppers in November 2019
Targeted Nations
Bulgaria
Czech Republic
France
Germany
Ireland
Kuwait
Lebanon
Norway
Poland
Romania
Russian Federation
Spain
United Arab Emirates
United Kingdom
United States
Yemen
Target Industries
- Agriculture
- Automotive
- Consumer Goods
- Food and Beverage
- Hospitality
- Industrials and Engineering
- Legal
- Logistics
- Real Estate
- State & Municipal Government
- Transportation
- Government
- Media
- Retail
- Technology
Artwork

Crowdstrike Carbon Spider
I have read and accept the terms and conditions