Three Days of the Cosmos Bank
Banks are a universal feature through the world. These are present in the varied governmental forms, in various asset sizes, and to make loans in various amounts. The loan sizes vary from the micro-loan of a few hundred dollars to millions of dollars in most cases. India is no different than the other countries as it relates to banking. One of the banks in India is Cosmos Bank, which is the 2nd largest cooperative bank. The bank is based in the western city of Pune.
Banks are attacked and compromised for two primary reasons. There is ample personal data for the clients. This includes but is not limited to legal name, address, credit score, social security number, account numbers with balances, and an epic amount of further data. There is also the little issue of money, which may be exfiltrated physically or digitally.
This attack occurred from August 11 to 13, 2018. Malware was placed on the bank’s ATM servers, which approve the transactions. In this case, which made this work so well, the main banking system received debit card payment requests through a “switching system”. With the attack, this system was bypassed after the firewall in place had been bypassed. The attackers put a proxy switch in the network. The approvals for the fraudulent payments were made through this alternative, unauthorized false proxies.
The attack operation itself occurred within the three days and was well-planned. This attack was intended to be carried out in multiple phases. First, there were 12k-15k withdrawals done within a relatively short time period from the affected accounts. The fraudulent proxy server approved the transactions without verifying the card’s authenticity. These 12k withdrawals added up to a rather significant amount. Of the 12k transactions, a majority occurred overseas. All of the countries in which these occurred had not been released yet. A sample of these include Canada, Hong Kong, India, and other countries. The ATM portion of the overall attack operation occurred within 7 hours in these 22-28 countries with 450 cloned cards. Curiously many of these transactions occurred in Canada. Even with merely these specific security issues, the bank’s chairman stated the bank’s security systems had not been compromised. Clearly this process was well-managed.
Later in the day on August 11, 2018 there were another 2,800 card transactions used to steal 2.5 crore rupees. Also 944m rupees or $13.5M USD was wired to a Hong Kong based entity. On august 13, 2018, the last day of the attack $2.1m USD or 13.94 crore rupees was wired to the ALM Trading Ltd., a Hong Kong company. The wires or transfers were done within the SWIFT system.
After the Attack
As a natural standard operating procedure, the bank filed a complaint with the police. The bank alleged in the complaint the malware used by the attackers to breach the system was also used to clone the customer’s cards. With the extent of the breach and what attackers were able to accomplish, the situation makes one question what fraud and cybersecurity processes were in place at the bank and “actively” working.
The bank’s response, in a statement, was the bank had adequate IT security in place, although the facts discourage this interpretation. The bank also contracted with a professional cybersecurity forensic agency. The firm began reviewing the logs. As the investigation continues, there are a number of questions left to be answered. These include:
a. How many ATMs were used for the withdrawals across the various countries?
b. A mass number of people had to be involved to operate and manage the attacks. What entity was the primary managing entity for the operation across all the countries?
c. With this large number of cards used in so many countries, who created and distributed these cards?
d. There should have been a fraudulent activity monitoring system in place, yet there was no issues noted through a majority of the attack. Was this actively monitoring the system’s transactions in real time?
The attack and exfiltration was unfortunate, however this was a well-planned and distributed attack. There are many areas to be reviewed.
Dimitrova, M. (2018, August 16). Indian cosmos bank malware attack ends with theft of $13.5 million. Retrieved from https://securityboulevard.com/2018/08/indian-cosmos-bank-malware-attack-ends-with-theft-of-13-5-million/
Goswami, S. (2018, August 17). Police investigate cosmos bank hack. Police investigate cosmos bank hack. Retrieved from https://www.bankinfosecurity.com/police-investigate-cosmos-bank-hack-a-11379
Hindu Business Line. (2018). Cosmos bank’s server hacked; Rs 94 cr siphoned off in 2 days. Retrieved from https://www.thehindubusinessline.com/money-and-banking/cosmos-banks-server-hacked-rs-94-cr-siphoned-off-in-2days/article24675
Inamdar, N. (2018, August 14). 15,000 transactions in 7 hours: Cosmos bank’s server hacked, Rs 94 cr moved to Hong Kong. Retrieved from https://www.hindustantimes.com/india-news/15-000-transactions-in-7-hours-cosmos-bank-s-server-hacked-rs-94-cr-moved-to-hong-kong/story-wazUXZs3LRhcbPlg7Lyx
Jadhav, R. (2018, August 14). India’s cosmos bank loses $13.5 mln in cyber attack. Retrieved from https://www.reuters.com/article/cyber-heist-india/indias-cosmos-bank-loses-135-mln-in-cyber-attack-idUSL4N1V55l1G
Nichols, S. (2018, August 15). India’s cosmos bank raided for $13m by hackers. Retrieved from https://www.tgheregister.co.uk/2018/08/15/cosmos_bank_raided/
PTI. (2018, August 14). Cosmos bank’s server hacked; $s 94 crore siphoned off in 2 days. Retrieved from https://enconomictimes.com/industry/banks-server-hacked-rs-94-crore-siphoned-off-in-2=days/articleshow/65399477/cms
Tanksale, M., & Iyer, S. (2018, August 14). Pune-based cosmos bank loses rs 94 crore in cyber attack. Retrieved from https://timesofindia.indiatimes.com/busienss/india-business/pune-based-cosmos-bank-loses-rs-94-crore-in-cyber-hack/cyber-hack/articleshow/65399204.cms
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.