Police Investigate Cosmos Bank Hack$13.4 Million Stolen in 28 Countries After Malware Attack
Police in India have launched a formal investigation of a malware attack on a Cosmos Bank ATM server that enabled attackers to siphon off US$13.4 million. The hackers cloned the bank's Visa and Rupay debit cards and used them to siphon cash from ATMs on Aug. 11 and Aug. 13, according to the bank.
Some security experts allege the Pune-based bank had an outdated ATM payment switch and card management system that may have had vulnerabilities that enabled attackers to gain access.
Attack on the Banking System?
But the bank claims the incident was a broader international attack on the banking system.
Cosmos Bank Chairman Milind Kale notes in a statement: "Cosmos Cooperative Bank in Pune has become the latest victim of the cyber fraudsters as hackers infiltrated into the bank's system and siphoned of $13.4 million between August 11 and August 13." On Aug. 13, $2.1 million was transferred to a Hong Kong-based entity ALM Trading Ltd. using SWIFT, he adds.
"Our security systems have not been compromised," Kale says. "It was as late as in July 2018 when the RBI inspected the bank's IT robustness and it has also sent about four officials who are examining the extent of damage."
The bank's managing director, Suhas Gokhale, sent out an SMS to customers saying the attack was "not at all" on the core banking system where accounts are maintained.
Kale says that after the malware attack on the critical communication system between various payment gateways was hacked, members of the hacker gang were informed simultaneously in 28 countries and they immediately started the withdrawals.
As a precautionary measure, the bank has closed all its servers and net banking facilities.
Police Investigation Launched
Meanwhile, the Maharashtra state police has formed a Special Investigation Team to probe the case.
The Mid-day newspaper reports that Brijesh Singh, Maharashtra Police's cybersecurity head said: "Under the guidance of the DGP, we along with cyber experts and Pune police will set up an SIT. There are two lines of investigation in this case, including one about the SWIFT system of payment. We will check if notes pertaining to the bank's security were taken during audits. We will also look into the possibility of inside involvement."
Theories on What Happened
Some payment experts theorize that the fraud involved breaching the firewall in servers that authorize ATM transactions, according to the Economic Times. After this, a proxy server likely was created and transactions authorized by the fake or proxy server, says Pune-based Rohan Vibhandik, a cybersecurity practitioner and researcher at a large IT organization. This meant that the ATMs were being directed to release money without checking whether the cards were genuine or whether there was a bank account, he says.
A police complaint filed by the bank states that the hackers used unidentified malware to hack the system and clone card details of the bank customers, the Economic Times reports.
Given the sophistication of the way the attack was carried out, some practitioners do not rule out a nation-state attack. Others emphasize the urgent need to address a lack of preparedness among cooperative banks in India to mitigate cyberattacks.
"To me personally, the finger of suspicion points to North Korea given that these state supported hackers have in the past have carried out several ransomware attacks, the Sony Pictures attack and other attacks on SWIFT infrastructure to generate income for the North Korea regime," says C.N. Shashidhar, founder and CEO at SecurIT solutions, a cybersecurity consulting firm.
The National Payments Council of India, the umbrella organization that operates retail payments and settlement systems in India, blamed Cosmos Bank's weak IT environment for paving the way for the cyberattack.
"This has happened due to a malware-based attack on bank's IT system, which has caused a fraud," says Bharat Panchal, NPCI's head of risk management. "Under the attack, maximum transactions have been reported from outside India. We wish to reiterate that our systems are fully secure and we are monitoring the situation continuously. We are there to support the bank in identifying the cause of this fraud."
Vibhandik says: "The hackers seem to have taken control of the ATM switch and create a proxy switch using man-in-the-middle attack which pre-authorized the transactions."
When debit card transactions take place, the ATM system connects to a switch, which in turn connects to a banking server. The switch is mutually authenticated with banking servers.
"Attackers deployed the malware attack on the switch, and then replicated it as a genuine switch and routed all transaction through the illegitimate or replicated switch," Vibhandik claims. Using such aparallel proxy switch and cloned debit or RuPay cards, the hackers self-approved the transactions to siphon out money, he believes.
The bank could not immediately identify the falsified transactions because the rogue switch functioned like a genuine switch, Vibhandik claims. "Such malware-based man-in-the-middle attacks and spoofing attacks are prevalent in current cyber era. Phishing must have been used by attackers to introduce a malware into the banking system," Vibhandik says.
"What makes this ATM attack different from others is that this wasn't directly targeted at the ATM machines, unlike what usually happens when ATM machines are compromised due to obsolete OS," he adds.
Shashidhar notes: "It seems the bank's fraud detection mechanism is non-existent. There should have been a red alert when so many overseas transactions were taking place at such a short span of time."
The bank also may have failed to adequately invest in its SOC, which should have analyzed the traffic coming in, some security practitioners say.
In its statement, the bank contended it has adequate IT security in place.
The incident obviously raises many questions.
"It's not clear how many ATMs were used for this withdrawal. If there were so many transactions in 28 different countries, it means that a huge group of people came together for this well-organized crime," says Tamaghna Basu, CTO at neoEYED, an identity management firm.
"Also, who is the card issuer of the fake cards? We need to check if there was an anomalous change on withdrawal limits or deactivation of fraud controls. Overall, this is an alarming incident and the entire banking fraternity should be worried and take enough preventive mechanism for this."
Others question the security measures the bank took to mitigate such risks.
"About 450 cloned debit cards were used for withdrawing money in over seven hours in 28 countries. Why did not the bank receive any red alert when out of the blue so many red alerts were getting generated?" asks the CISO of a Tamil Nadu-based bank, who requested anonymity.