Cosmos Bank Heist: No Evidence Major Hacking Group InvolvedMissing $13.5 Million - Some via SWIFT Fraud - May Trace to Buggy Hardware
So far, police have not found evidence that a major organized hacking group was responsible for the Cosmos Bank heist, which involved the theft of $13.5 million through ATMs and unauthorized SWIFT transactions in 28 countries between August 11 and 13, according to Brijesh Singh, inspector general of police (state cyber police), Maharashtra Police, who is heading the special investigation team (see: Police Investigate Cosmos Bank Hack)
Law enforcement officials say the incident points to the need for banks to better safeguard their infrastructures.
Immediately following the incident, some observers speculated a major hacking group, such as Cobalt or Lazarus, may have been involved in the heist, based on the sophisticated techniques used. But so far, police have not found evidence tying the hack to any major group, Singh says.
Singh tells Information Security Media Group that the attackers used anti-forensic tools.
"What's worrisome is they have wiped out all tracks, leaving no evidence; it's well-planned," Singh says. "Law enforcement agencies haven't established association of big groups like Lazarus or Cobalt."
Investigation in progress
Pune City Police have started recovering money from some bank customers who found an excess balance in their accounts during the time of the attack and withdrew it with their ATM cards, according to the Indian Express. That news report says police believe these account holders were "accidental beneficiaries" and they don't seem to have a criminal connection with the hackers.
Cosmos Cooperative Bank in Pune became a victim of cyber fraudsters as hackers infiltrated the bank's system and siphoned off $13.5 million between August 11 and August 13. On Aug. 13, $2.1 million was transferred to a Hong Kong-based entity ALM Trading Ltd. using SWIFT.
According to the bank sources, the bank's server was attacked by malware, with the suspects hacking the data of different cards issued by the bank and using an online platform to transfer money.
Singh says police are still attempting to ascertain when the bank's server was compromised and how the payment cards were cloned to withdraw large sums of money through thousands of ATM transactions in India and other countries in seven hours.
Some security experts believe that the ATM switch installed by Cosmos Bank had vulnerabilities that paved the way for cloning.
"The switch was quite outdated without sufficient encryption standards," says Milind Rajhans, former CISO, AP Mahesh Urban Cooperative Bank.
Investigators are attempting to determine "at what stage the cloning occurred - at the EMV level, or infrastructure level; who are the money mules involved; and where are the vulnerabilities in the system," Singh says. "We're involving technology experts, forensic experts, law enforcement, bank staff and others to identify vulnerabilities."
Singh says that unlike some cooperative banks, Cosmos Bank employs a good cybersecurity policy and framework. All its systems are PCI DSS compliant, and the bank has its own own data center and SoC to protect customer data, he notes. "It's surprising how the attack took place, in a swift manner, which even the SoC could not identify."
Steps to Take
The U.S. Federal Bureau of Investigation recently issued an alert about imminent ATM cash-out attack (see: FBI Warns Pending Large Scale ATM Cashout Strike). The FBI noted that virtually all cash-outs occur over weekends, taking advantage of the time when fewer staff members are around to notice anomalies.
Banks need to safeguard every layer of their infrastructure and upgrade their systems, Singh stresses.
In a blog, Sandeep Arora, co-founder and CEO at CyberImmersion, says cyber heists potentially damage not only institutions' reputations, but also those of department heads and directors.
Singh suggests cooperative banks form a consortium and use best practices to conduct a thorough risk assessment of their suppliers and partners and across all layers of infrastructure. "This will enable a cybersecure ecosystem," he says.
The Reserve Bank of India also recently issued a notice to all cooperative banks to use caution while deploying third-party core banking applications, checking for appropriate security standards (see: RBI Warns Cooperative Banks Against App Risks).
The big challenge for these smaller banks is tightening security at the server and application layers and evaluating third-party core banking applications. India has nearly 2,000 cooperative banks, which often depend on third-party applications and lack the capability to assess those applications' security features.
RBI recommends cooperative banks analyze their IT operation environment - including technology, human resources and implemented processes - to identify threats and vulnerabilities.
And all banks should have a designated CISO who is empowered to conduct all risk assessment tests across departments, Rajhans stresses.
"Every cooperative bank must have a CMM-level certified and ISO 27001 framework and ensure their service providers and vendors have similar certifications," he adds.