How Hacker’s Stole 13.5 Million USD

For Cosmos Bank, a bank that has been in business for 112 years, August will go down as one of the bank’s worst months. On August 14, 2018, the Hindustan Times reported that the bank suffered a two-stage attack where malware was used on the bank's ATM server to steal the credit card information of customers, alongside SWIFT codes required for transactions. It was estimated that during the first wave roughly 11.5 million USD in transactions from multiple countries was stolen. In the second wave, on the same day, close to 2 million USD was withdrawn through debit card transactions across India. Later when those funds were traced it was discovered that they were transferred to Hong Kong via fraudulent SWIFT transactions.

Cosmos Bank chairman Milind Kale said the cyber attack was a global effort as cyberattackers operated from "22 nations." The bank pointed the finger at Canada as the place of origin for many of the fraudulent transactions. A further article published by the Hindustan Times said that the hackers failed in their first attempt to compromise the bank's systems. Despite the first failed attempt worryingly no alert was issued to put the bank on guard against any further suspicious activity. The bank has since confirmed that no funds had been debited from its customers’ accounts.

While no funds had been debited from customers’ accounts, many of those customers must be demanding answers as to how the bank’s security measures were bypassed. Security researchers from the Securonix Threat Research team have attempted to answer this question. In a report published on Monday, August 27, the security firm analyzed how it could have been done. Further researchers at Securonix have attributed the attack to North Korea.

cosmos bank hackers

In the report, the firm is of the belief that the hackers managed to compromise the network via a “patient zero” compromise. A so-called patient zero compromise can be seen as the first infected computer or device. The infection, which inevitably resulted in the malware been able to move laterally across the network, was probably a result of a targeted spear-phishing campaign. Another possible infection vector would be by the hackers gaining unauthorized access to a remote control interface. The security researchers believe that “multiple targeted malware infections” were used to compromise the bank's internal and ATM infrastructure. The malware was used in tandem with an infected central ATM or POS switch. When the first stage of the attack was implemented, the malware likely severed the connection between central systems and the backend core banking system (CBS) to prevent transaction verification. A backend CBS is a system that processes daily banking transactions and posts updates to accounts and other financial records.

In total, Securonix says 2,849 domestic and 12,000 international transactions took place using 450 cloned debit cards in 28 countries throughout the heist. The researchers further stated that,

“Attackers were likely able to send fake Transaction Reply (TRE) messages in response to Transaction Request (TRQ) messages from cardholders and terminals. As a result, the required ISO 8583 messages (an international standard for systems that exchange electronic transactions initiated by cardholders using payment cards) were never forwarded to the backend/CBS from the ATM/POS switching solution that was compromised, which enabled the malicious withdrawals and impacted the fraud detection capabilities on the banking backend.”

All of which appear to have been done during the first stage of the attack. In the second stage, it is possible the threat group moved laterally across the Cosmos bank's SWIFT environment. The researchers say that three fraudulent transactions were then sent to a trader's account at Hang Seng Bank in Hong Kong. As mentioned earlier during this stage of the attack a further 2 million USD was stolen.

Lazarus Group…again

The researchers went further than describing how the attack may have been carried it out it also attributed the attack to Lazarus Group. The North Korean group believed to be intrinsically linked to the state and charged with carrying out cyber espionage campaigns as well as heists is the InfoSec community’s advanced persistent threat they love to hate. The group made headlines again last week as they now appear capable of creating and deploying malware aimed at targeting Macs.

Often security firms will not publically attribute attacks this quickly. More often than not they will conduct further research and publish a technical white paper detailing their findings. In this instance, Securonix were quick to point the finger. This was, however, not done with no evidence. Researchers managed to pick out similarities with this attack and previous ones conducted by Lazarus, sometimes referred to as Hidden Cobra. These similarities included the use of Windows Admin Shares for Lateral Movement, using custom Command and Control (C2) that mimics TLS, adding new services on targets for Persistence, Windows Firewall changes, Timestomping, Reflective DLL Injection, and a number of other techniques. These above-mentioned techniques have been seen time and time again in attacks attributed to the group. Adversarial Tactics, Techniques, and Common Knowledge have published a comprehensive summary of techniques employed by Lazarus.

Further, researchers were quick to point out that,

“In the case of the Cosmos Bank attack, this was not the typical basic card-not-present (CNP), jackpotting, or black boxing fraud. The attack was a more advanced, well-planned, and highly-coordinated operation that focused on the bank's infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance.”

To put the above differently attacks such as these require a skillset and resources far beyond the average cybercriminal or scammer. Given the economic pressure placed on the hermit country via economic sanctions, it is felt by the government in charge that the rest of the world is fair game. Banks in Bangladesh know first-hand the ramifications of such an attitude. In 2016, it is widely believed that Lazarus Group stole approximately 81 million USD from the Central Bank of Bangladesh further showing the group is more than capable of conducting similar attacks in future.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal