Cyber Threat Actor: Odinaff
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
1 incident |
|---|
Profile
The threat actor known as Odinaff, also referred to as the Odinaff group, has been observed targeting financial institutions. Open source reporting indicates the group may be based in Russia, though this is not definitively confirmed. Activity attributed to Odinaff became publicly known in October 2016 when researchers linked the group to a series of SWIFT‑focused intrusions. The alias Odinaff is used interchangeably in public reports to describe the same set of activities. Their operations have been associated with the deployment of tools such as Mimikatz, PsExec, Netscan, Ammyy Admin variants, and PowerShell.
Odinaff’s intrusions have been directed at banks and other financial service providers worldwide. No specific geographic limitation has been reported, with victims spread across multiple continents. The primary objective observed in these attacks is to intercept and alter SWIFT messages containing specific transaction keywords. Initial compromise typically occurs via phishing emails that deliver malicious payloads to victim networks. Once inside, the attackers employ a toolkit that includes Mimikatz for credential harvesting, PsExec for remote command execution, Netscan for network reconnaissance, Ammyy Admin variants for remote desktop access, and PowerShell scripts for automation. A distinctive suppressor component is used to delete or hide specific SWIFT messages containing targeted keywords from the local file system, preventing detection by the intended recipient. The group also leverages legitimate administrative tools to blend with normal traffic and avoid raising alarms.
The most publicly documented operation occurred on 12 October 2016, when Odinaff‑linked actors attempted to exploit the SWIFT network using the tactics described above. Symantec researchers noted that it remained unclear whether any funds were successfully extracted during this campaign. To date, no public source has definitively linked Odinaff to a specific state sponsor or organized criminal consortium. The group is therefore characterized in open reporting as a hacking crew focused on financial infrastructure without confirmed governmental backing. Continued monitoring of financial sector threat intelligence remains essential to detect similar SWIFT‑focused intrusion attempts.
