Cobalt, a highly-skilled group of hackers who target banks and financial institutions, may have committed a mistake and accidentally leaked a list of all their current targets, according to Yonathan Klijnsma, a security researcher with RiskIQ.
The error occurred in a spear-phishing campaign that took place last week, on November 21.
Klijnsma says the group sent out a mass email, but instead of including the campaign's targets in the email's BCC field, they added their targets' emails in the "To:" field.
By doing so, the Cobalt group let researchers know who they were targeting, giving cyber-security firms a chance to reach out to potential victims and warn them of the ongoing campaign.
According to Klijnsma, the group targeted the emails of employees at financial institutions all over the world, with most targets located in Russia and Turkey.
The spear-phishing email used a subject line of "Changes to the terms," had no inline text, and only featured an RTF file claiming to hold changes to SWIFT, an inter-banking money transfer system.
The RTF file was boobytrapped to exploit CVE-2017-11882, a vulnerability in the Office equation editor component, and was part of a bigger campaign Bleeping Computer reported on last week.
Klijnsma also points out that this is not the first time that hackers have accidentally included lists of their targets in the wrong email field. A similar incident took place in March this year.
The moment a banking group decides to target almost every bank in Kazakhstan by putting 1880 contacts in the 'To' field forgetting to BCC... pic.twitter.com/ftAuGV0DxD— Yonathan Klijnsma (@ydklijnsma) March 28, 2017
A quite plausible and popular theory is that the Cobalt hackers might have intentionally included the list of potential targets in the wrong email field to keep cyber-security firms busy with reaching out to fake targets, while the group busied itself with another campaign aimed at the real organizations they wanted to breach.