Adversary

Carbon Spider

ORIGIN

Russian Federation, Ukraine

Community Identifiers

Carbanak, GOLD KINGSWOOD, FIN7

Carbon Spider is a highly skilled criminal group that primarily targeted the hospitality and retail sectors in pursuit of payment card data.

In May 2021, Colonial Pipeline—operator of 5,500 miles of pipeline from the Gulf Coast to the U.S. East Coast—disclosed a ransomware intrusion and closed down parts of their infrastructure to contain the ransomware attack and begin remediation efforts. The FBI then attributed the ransomware incident to an affiliate of CARBON SPIDER's Darkside Ransomware-as-a-Service. The significance of the ransomware incident prompted responses from CARBON SPIDER who quickly sought to distance themselves from any nation-state affiliations and declared themselves as apolitical. The infection was publicly addressed by U.S. and Russian government officials who both refuted state-nexus involvement and declared the activity as purely financially motivated and criminal in nature.

Active since 2013, the group originally targeted Russian financial institutions, but began to expand their targeting profile in December 2015 to the Middle-East, Europe and the U.S. In mid-2016, indications emerged that the group compromised the cloud-based software solution, Oracle MICROS, which could have been used to conduct malicious operations on users of that solution in the hospitality and retail sectors.

In 2016, part of the group split off to form Cobalt Spider and continue to focus on the financial sector. Carbon Spider primarily relies on spear phishing emails delivering exploit documents, macro documents, or downloader scripts to deliver the custom Harpy backdoor. The adversary uses Harpy to enable persistent access and previously deployed Point-of-Sale (PoS) malware, such as SuperSoft, to harvest card data.

As of June 2020, Carbon Spider has been conducting Big Game Hunting ransomware campaigns. The adversary has used REvil and Darkside for this purpose. In November 2020, Carbon Spider introduced a ransomware-as-a-service (RaaS) affiliate program for Darkside.

Technical Tradecraft

  • Spear phishing campaigns deliver macro-enabled Microsoft Office documents; documents often password-protected
  • Have used spear phishing links to Google Docs pages containing redirects to downloaders hosted on Microsoft Sharepoint
  • Harpy is primary backdoor of choice; Sekur also remains in use and is typically loaded into memory with a proprietary loader
  • Introduced embedded child documents to droppers in November 2019

Targeted Nations

  • Flag Icon of the country Bulgaria

    Bulgaria

  • Flag Icon of the country Czech Republic

    Czech Republic

  • Flag Icon of the country France

    France

  • Flag Icon of the country Germany

    Germany

  • Flag Icon of the country Ireland

    Ireland

  • Flag Icon of the country Kuwait

    Kuwait

  • Flag Icon of the country Lebanon

    Lebanon

  • Flag Icon of the country Norway

    Norway

  • Flag Icon of the country Poland

    Poland

  • Flag Icon of the country Romania

    Romania

  • Flag Icon of the country Russian Federation

    Russian Federation

  • Flag Icon of the country Spain

    Spain

  • Flag Icon of the country United Arab Emirates

    United Arab Emirates

  • Flag Icon of the country United Kingdom

    United Kingdom

  • Flag Icon of the country United States

    United States

  • Flag Icon of the country Yemen

    Yemen

Target Industries

  • Agriculture
  • Automotive
  • Consumer Goods
  • Food and Beverage
  • Hospitality
  • Industrials and Engineering
  • Legal
  • Logistics
  • Real Estate
  • State & Municipal Government
  • Transportation
  • Government
  • Media
  • Retail
  • Technology

Artwork

Adversary: Carbon Spider - Threat Actor

Crowdstrike Carbon Spider

I have read and accept the terms and conditions

Download

Explore Next Adversary

Cobalt Spider

All Adversaries 17

Explore Next Adversary

Terms and conditions

In order to download the adversary artwork, we kindly request you to accept our terms and conditions displayed below.

This image (“artwork”), is the intellectual property of CrowdStrike, Inc. and its affiliates and licensors (collectively, “us” or “we”) and may include other marks, trademarks, copyrighted materials, and other intellectual property (“assets”) that belong t o us, including, without limitation, CrowdStrike, the CrowdStrike logo, and CrowdStrike Falcon. We retain all right, title and interest in and to the artwork and all assets included therein. This artwork is offered to you as a convenience for your lawful a nd non-commercial use, solely as authorized by us, and subject to your compliance with these terms and conditions (“terms”) and any other guidelines or specifications that we may provide from time to time. We reserve the right to change these terms at any time without prior notice.

You should periodically check the latest information posted herein to be sure that you are in compliance. By downloading the artwork, you attest that you are at least 18 years of age and agree to the following terms, which const itute the sole and entire agreement between you and us with respect to the artwork. We reserve all rights not expressly granted to you herein. You may not use or display the artwork in any way: (i) that violates the rights of any person or entity or that may give rise to civil or criminal liability under laws or regulations applicable to you, another user, and/or CrowdStrike; (ii) that is defamatory, obscene, indecent, abusive, harassing, violent, hateful, inflammatory or otherwise objectionable; (iii) tha t is false, deceptive, misleading or fraudulent, including but not limited to: (a) any attempt to impersonate any person or entity, including any other user, CrowdStrike or a CrowdStrike employee; (b) any attempt to misrepresent your identity or affiliation with any person or organization; or (iv) for the purposes of recruiting, advertising, solicitation or commercial activities of any kind without our express written consent.

THE ARTWORK IS PROVIDED TO YOU BY CROWDSTRIKE ON AN “AS IS” AND “AS AVAILABLE” BA SIS, WITHOUT ANY WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. EXCEPT TO THE EXTENT THAT A DISCLAIMER OF LIABILITY IS PROHIBITED UNDER APPLICABLE LAW, IN NO EVENT WILL CROWDSTRIKE, ITS AFFILIATES AND ITS LICENSORS, EMPLOYEES, AGENTS, OFFICERS AND DIRE CTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH YOUR USE, OR INABILITY TO USE, THE ARTWORK.