What Went Wrong: The Case of India’s Cosmos Bank Cyber Heist

More information has been revealed recently from the Cosmos Bank hacking incident which happened a few weeks ago. As a 112-year old banking institution, Cosmos Bank holds a high regard in the Indian Banking Industry for its security and length of service. However, that doesn’t stop cybercriminals in penetrating the IT infrastructure of Cosmos Bank resulting in $13.5 million stolen funds from the bank from August 10 to 13. The theft has been done through two waves of mass unauthorized debit transactions, the first wave, the $11.5 million heist from different countries and another wave worth $2 million debited inside the Indian territory only.

“Following an earlier patient-zero compromise and lateral movement, on August 10-11, 2018, the bank’s internal and ATM infrastructure was compromised. The exploit involved multiple targeted malware infections followed by standing up a malicious ATM/POS switch (malicious-Central or MC) in parallel with the existing Central and then breaking the connection between the Central and the backend/Core Banking System (CBS). After making adjustments to the target account balances to enable withdrawals, MC was then likely used in fake “*on-us,” foreign-to-EFT, standing-in, etc. activity that enabled the malicious threat actor to authorize ATM withdrawals for over US$11.5 million in 2849 domestic (Rupay) and 12,000 international (Visa) transactions using 450 cloned (non-EMV) debit cards in 28 countries,” said the researchers.

The funds apparently were transferred to a Hong Kong account of unknown origin at the time of this writing, as the story further unfolds. Supposedly, the heist has been pulled-off through the use of multiple targeted malware infections, creating a weakness to the bank’s ATM machines and POS systems.

“Attackers were likely able to send fake Transaction Reply (TRE) messages in response to Transaction Request (TRQ) messages from cardholders and terminals. As a result, the required ISO 8583 messages (an international standard for systems that exchange electronic transactions initiated by cardholders using payment cards) were never forwarded to the backend/CBS from the ATM/POS switching solution that was compromised, which enabled the malicious withdrawals and impacted the fraud detection capabilities on the banking backend,” said Securonix researchers investigating the heist.

There is a weak link of the incident to the Lazarus Group, the alleged elite hackers maintained by the North Korean regime. The same group was also blamed for the devastating success of the WannaCry ransomware last year. “In case of the Cosmos Bank attack, this was not the typical basic card-not-present (CNP), jackpotting, or blackboxing fraud. The attack was a more advanced, well-planned, and highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance,” the research team further explained.

From the investigations conducted by many researchers, they are unanimous in saying that the cybercriminals have made enough background surveillance of the Cosmos banking infrastructure first. All the while the bank officers may have ignored the alerts produced by their system for an unknown reason. They have concluded that the heist will be very visible from a bank audit report generated by the system itself.