Categories: SecurityWorkspace

Hackers ‘Wiped All Traces’ After £10m Bank Heist

A sophisticated heist that left India’s second-largest bank more than $13.5 million (£10.37m) out of pocket cannot yet be definitely linked to any particular hacking group because the thieves destroyed all traces of their activity, officials have said.

Security analysts have said the pattern of the theft, which hit 112-year-old Cosmos Bank earlier this month, makes it likely to have been carried out by the North Korean state-backed Lazarus hacking group.

But this can’t be accurately established due to the attackers’ use of anti-forensic tools, according to the special investigations group handling the case.

“They have wiped out all tracks, leaving no evidence; it’s well-planned,” Brijesh Singh, head of the unit set up by Maharashtra Police, told local media on Wednesday.

No traces

He said that as a result law enforcement agencies haven’t established a link to Lazarus or Cobalt, whose leader was arrested in Spain earlier this year.

The attack on Pune-based Cosmos Bank is the latest major theft making use of compromised back-end banking systems.

It was carried out over a period of four days, 10 to 13 August, and included two separate incidents, the theft of $11.5m via fraudulent ATM transfers and a fraudulent SWIFT transfer worth $2m.

The ATM transfers, over a period of seven hours on August 10-11, involved 2,849 domestic transactions and 12,000 international transactions using 450 cloned debit cards in 28 countries, security researchers said.

The SWIFT network was then used on 13 August to send three transfers worth a total of about $2m to Hang Seng Bank in Hong Kong.

Security firm Securonix said the hackers probably carried out an initial compromise of the bank’s systems, perhaps through a targeted phishing attack, as Lazarus has done in the past.

The hackers then compromised the bank’s ATM infrastructure, set up a malicious ATM switch and severed the genuine switch’s connection to the bank’s back-end systems.

Internal compromise

That meant the attackers were able to manipulate account balances and carry out the fraudulent transfers en masse, with the transfers being processed by the malicious switch.

The messages normally generated by any use of a payment card, called ISO 8583 messages, would as such never have been forwarded to the bank’s back-end systems.

The compromise was complete enough that the hackers were able to use the bank’s own SWIFT systems to send the three fraudulent transfers to Hong Kong, Securonix said.

“This was not the typical basic card-not-present (CNP), jackpotting or blackboxing fraud,” the firm said in its analysis. “The attack was a more advanced, well-planned, and highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance.”

Two years ago hackers stole $81m from the central bank of Bangladesh via the SWIFT network after compromising its internal systems.

The incident led SWIFT to introduce improved security measures.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

TikTok US Sales ‘Hit $16bn’, ByteDance Nears Meta In World Revenues

TikTok reportedly brought in $16bn in US last year, while parent ByteDance made $120bn worldwide,…

17 hours ago

Bankman-Fried Deserves Up To 50 Years In Jail, Prosecutors Say

Ahead of sentencing prosecutors argue ex-FTX boss Sam Bankman Fried deserves up to 50 years…

17 hours ago

Senators Take Up TikTok Bill After Italy Fine Over Harmful Content

Senators consider bill restricting TikTok after rapid House approval, as Italy competition regulator fines company…

18 hours ago

AI Security Company Backtracks On UK Testing Claims

Security company Evolv backtracks on claims UK government tested its controversial AI security scanning systems

18 hours ago

Norfolk County Council Wins $490m Payout From Apple

Apple agrees to $490m settlement of class-action lawsuit led by Norfolk County Council for allegedly…

19 hours ago

McDonald’s International Outage Caused By Third Party

McDonald's says outage affecting thousands of locations across world caused by third-party tech provider carrying…

19 hours ago