Categories: SecurityWorkspace

Hackers ‘Wiped All Traces’ After £10m Bank Heist

A sophisticated heist that left India’s second-largest bank more than $13.5 million (£10.37m) out of pocket cannot yet be definitely linked to any particular hacking group because the thieves destroyed all traces of their activity, officials have said.

Security analysts have said the pattern of the theft, which hit 112-year-old Cosmos Bank earlier this month, makes it likely to have been carried out by the North Korean state-backed Lazarus hacking group.

But this can’t be accurately established due to the attackers’ use of anti-forensic tools, according to the special investigations group handling the case.

“They have wiped out all tracks, leaving no evidence; it’s well-planned,” Brijesh Singh, head of the unit set up by Maharashtra Police, told local media on Wednesday.

No traces

He said that as a result law enforcement agencies haven’t established a link to Lazarus or Cobalt, whose leader was arrested in Spain earlier this year.

The attack on Pune-based Cosmos Bank is the latest major theft making use of compromised back-end banking systems.

It was carried out over a period of four days, 10 to 13 August, and included two separate incidents, the theft of $11.5m via fraudulent ATM transfers and a fraudulent SWIFT transfer worth $2m.

The ATM transfers, over a period of seven hours on August 10-11, involved 2,849 domestic transactions and 12,000 international transactions using 450 cloned debit cards in 28 countries, security researchers said.

The SWIFT network was then used on 13 August to send three transfers worth a total of about $2m to Hang Seng Bank in Hong Kong.

Security firm Securonix said the hackers probably carried out an initial compromise of the bank’s systems, perhaps through a targeted phishing attack, as Lazarus has done in the past.

The hackers then compromised the bank’s ATM infrastructure, set up a malicious ATM switch and severed the genuine switch’s connection to the bank’s back-end systems.

Internal compromise

That meant the attackers were able to manipulate account balances and carry out the fraudulent transfers en masse, with the transfers being processed by the malicious switch.

The messages normally generated by any use of a payment card, called ISO 8583 messages, would as such never have been forwarded to the bank’s back-end systems.

The compromise was complete enough that the hackers were able to use the bank’s own SWIFT systems to send the three fraudulent transfers to Hong Kong, Securonix said.

“This was not the typical basic card-not-present (CNP), jackpotting or blackboxing fraud,” the firm said in its analysis. “The attack was a more advanced, well-planned, and highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance.”

Two years ago hackers stole $81m from the central bank of Bangladesh via the SWIFT network after compromising its internal systems.

The incident led SWIFT to introduce improved security measures.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

US DoJ Charges Six Russian GRU Officers For Cyberattacks

Hackers also targeted this year's delayed Olympic Games in Tokyo says UK, as the US…

1 hour ago

Google Discloses Biggest-Ever DDoS Attack

Google says it successfully fended off a 2.5 Tbps denial-of-service attack in 2017, making it…

1 day ago

Microsoft Issues Two Emergency Windows Patches

Microsoft publishes out-of-band patches for bugs in Visual Studio Code and Windows Codecs Library that…

1 day ago

Zoom Introduces Paid Events, In-Meeting Apps

Zoom aims to capitalise on its massively increased user base with platform for paid events…

1 day ago

European Telecoms Trade Group Warns Against Banning Chinese Vendors

Banning Chinese telecoms equipment vendors for political reasons will increase costs and delay network upgrades,…

1 day ago

Twitter Changes Policy On Blocking ‘Hacked Materials’

Twitter will no longer block links to articles containing hacked materials, following criticism over treatment…

1 day ago