How hackers managed to steal $13.5 million in Cosmos bank heist

An in-depth look into the incident reveals how the 112-year-old bank may have been swindled out of millions.
Written by Charlie Osborne, Contributing Writer

Earlier this month, reports surfaced which suggested that Cosmos Bank, India's oldest at 112 years old, had become the victim of a cyberattack which left the institution millions out of pocket.

The attack reportedly took place in two stages been August 10 - 13. According to the Hindustan Times, malware was used on the bank's ATM server to steal the credit card information of customers, alongside SWIFT codes required for transactions.

The first wave involved the theft of roughly $11.5 million in transactions from multiple countries. In the second wave, on the same day, close to $2 million was withdrawn through debit card transactions across India.

Funds were later transferred to Hong Kong through fraudulent SWIFT transactions.

Cosmos Bank chairman Milind Kale said the cyberattack was a global effort as cyberattackers operated from "22 nations." The bank pointed the finger at Canada as the place of origin for many of the fraudulent transactions.

Reports also suggest that the threat actors failed in their first attempt to compromise the bank's systems, but no alert was issued to put the bank on guard against suspicious activity.

No funds have been debited from customer accounts.

On Monday, security researchers from the Securonix Threat Research team gave us a technical glimpse into how the bank heist may have been able to take place and suggested that North Korea may be to blame.

See also: ATM jackpotting reaches US shores | ATM hacking becomes a priority in IBM cybersecurity facilities | You can buy Bitcoin ATM malware for $25,000 in the Dark Web

Following a so-called "patient zero" compromise of the banking system, potentially through a spear phishing campaign or unauthorized access to a remote control interface, the researchers say that "multiple targeted malware infections" were used to compromise the bank's internal and ATM infrastructure.

The malware was used in tandem with an infected central ATM or POS switch. When the first stage of the attack was implemented, the malware likely severed the connection between central systems and the backend core banking system (CBS) to prevent transaction verification.

TechRepublic: Jackpotting cyberattack hits US, forces ATMs to spit out money for hackers

Securonix said that after this connection was compromised, the central malicious switch was used to tamper with target account balances to enable unauthorized ATM withdrawals.

In total, Securonix says 2849 domestic and 12,000 international transactions took place using 450 cloned debit cards in 28 countries throughout the heist.

CNET: Forget debit cards. This is how you'll use your phone at the ATM

"Attackers were likely able to send fake Transaction Reply (TRE) messages in response to Transaction Request (TRQ) messages from cardholders and terminals," the researchers say. "As a result, the required ISO 8583 messages (an international standard for systems that exchange electronic transactions initiated by cardholders using payment cards) were never forwarded to the backend/CBS from the ATM/POS switching solution that was compromised, which enabled the malicious withdrawals and impacted the fraud detection capabilities on the banking backend."

In the second wave, in which $2 million was stolen, it is possible the threat group moved laterally across the Cosmos bank's SWIFT environment. The researchers say that three fraudulent transactions were then sent to a trader's account at Hang Seng Bank in Hong Kong.

The attack has been attributed to Lazarus, a state-sponsored threat group believed to be connected to North Korea's ruling party. The group has previously been linked to devastating attacks such as the WannaCry ransomware outbreak and attacks on financial institutions in Indonesia and South Korea.

See also: AppleJeus: macOS users targeted in new Lazarus attacks

"In case of the Cosmos Bank attack, this was not the typical basic card-not-present (CNP), jackpotting, or blackboxing fraud," Securonix said. "The attack was a more advanced, well-planned, and highly-coordinated operation that focused on the bank's infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance."

Previous and related coverage

Editorial standards