Seven Arrests in Cosmos Bank HeistInvestigation Authorities Hope to Identify the Root Cause
Police have made seven arrests of suspected money mules involved in the theft of $13.5 million from Cosmos Bank in Pune (see: Cosmos Bank Heist: No Evidence of Major Hacking Group).
The money was stolen through ATMs and unauthorized SWIFT transaction in 28 nations Aug. 11-13 (see: Police Investigate Cosmos Bank Hack).
Jyotipriya Singh, the deputy commissioner of Pune Police, who is a member of the team investigating the case, tells Information Security Media Group: "The seven accused are money mules who were employed to steal the money, working for a bigger operational gang actually involved in the conspiracy. My 10-member team is continuing its investigation to spot those behind the heist."
The suspects also were allegedly involved in stealing some Rs 33.93 crore from Chennai-based City Union Bank last December, using methods similar to those used in the Cosmos Bank heist, Singh says.
Those arrested for allegedly using cloned cards for fraud in the Cosmos Bank incident, according to Singh, are: Shaikh Mohammad Abdul Jabbar, Fahim Azim Khan, Naresh Maharana, Yustace Augustine Vaz, Fahim Mehfooz Shaikh, Kunal Shukla and Mahesh Sahebrao Rathod.
"Their absolute and irrefutable involvement was revealed in the CCTV footage we have obtained from the ATMs related to Cosmos Bank," Singh says. "They confessed to involvement in the Chennai hack case too," she says.
Two cases are registered in Chennai, she explains; one is for international transactions and another for domestic ones.
"After we made arrests in the Cosmos Bank case, Chennai police shared CCTV footage of some ATMs in the City Union bank," the Singh said. "We found that four of the seven accused are seen in some of the ATM footage from Chennai."
In December 2017, City Union Bank officials had lodged a complaint with the Chennai police that unidentified persons had hacked into the bank's server and stolen data, using it later for withdrawals from ATMs and money transfers to some accounts, she says. "We are working with our Chennai counterparts in hunting for the main group and locating the source of the cards."
So far, the team has recovered about Rs 3.65 lakhs from the accused in the Cosmos bank heist case.
Investigation in Progress
Brijesh Singh, inspector general of police-cyber, for the Maharashtra Police, who is overseeing the investigation, says the Cosmos Bank attack was well-engineered.
"While we have zeroed in on the money mules, we are probing the multi-country fraud and aim to nab the mastermind behind it," he says. "It is a very big case, and a very resource-intensive project involving multiple organizations working at ascertaining the exact cause."
Cosmos Bank hired PwC India to conduct a post-breach forensic study, and the consultancy has submitted its report to the bank, Singh says.
"We are awaiting the investigation report from SWIFT, the platform which the hackers used to siphon off Rs 13.5 crore to a Hong Kong-based entity on August 13," she adds.
National Payments Corp. of India is also preparing a post-breach investigation report because the transactions in India were done through NPCI's Rupay cards.
Sources at PwC who initiated the technical forensic investigation said that two malicious codes were discovered in the logs using the IP address. The code is used across the system server and memory to tap the logs.
Brijesh Singh urged banks to use appropriate techniques to monitor their servers and systems.
Krishna Sastry, executive director-forensics and incidence response at PwC India, says that in many breaches, attackers abuse the Windows PowerShell configuration management framework. Scripting shells can be one of the most effective attack points for an operating system. They offer an advantage to an attacker by providing a layer of abstraction that anti-virus applications have no idea how to interpret.
As a best practice to discover anomalies and vulnerabilities, banks should implement the common Infrastructure for Sandboxing for UAT of the technology services, says Milind Rajhans , former CISO of AP Urban Mahesh Co-operative Bank.
Security practitioners also recommend the creation of a robust cyber threat sharing platform that banks could use to help detect early warning signals of attacks.