An exhaustive review of the incident reveals how could be carried out the bank robbery
A couple of weeks ago began circulating reports suggesting that Cosmos Bank, India’s longest 112 years of existence, had become a victim of a cyberattack in which the institution was stole million dollars.
According to reports of cyber security organization specialists from the International Institute of Cyber Security, the attack took place between August 10 and 13. To carry out the theft, malware was injected into the bank’s ATM servers to steal data from customers’ cards, along with the SWIFT codes needed to perform the transactions. The first wave of fraudulent transactions involved the theft of nearly $11.5M USD in transactions made in different parts of the world; in the second wave, carried out on the same day, the hackers withdrew about $2M USD through debit card transactions all along India territory.
The stolen funds were subsequently transferred to Hong Kong through fraudulent SWIFT transactions.
Milind Kale, President of Cosmos Bank, said the cyberattack was a global effort and activity was persistent in 22 nations. The bank’s cyber security organization team pointed out that Canada was the country in which more fraudulent transactions were carried out. The reports also suggest that the threat agents failed in their first attempt to compromise the bank’s systems, but no warning was issued to put the bank on guard against suspicious activities.
Last Monday, cyber security organization researchers commented on the possible methods used by the hackers, pointing to North Korea as a suspected culprit. According to experts, after the bank’s systems were selected for the attack, possibly through a spear phishing campaign, multiple malware infections compromised internal and ATM maintenance bank’s infrastructure.
The malware was used in conjunction with an infected ATM central switch. When the first stage of the attack was implemented, malware may have cut the connection between the central systems and the core banking system to avoid transaction verification. After this connection was compromised, the malicious center switch was used to manipulate the balances of the attacked accounts to allow unauthorized withdrawals.
Cyber security organization experts commented that in total 2.8K local transactions and 12K international transactions were performed using 450 cloned debit cards.
The attack has been attributed to Lazarus Group, a gang of hackers that has been linked to the North Korean government. The group has been associated with cyberattacks of devastating consequences, such as the WannaCry ransomware outbreak last year, and attacks on financial institutions established in Indonesia and South Korea.