Categories: SecurityWorkspace

Hackers ‘Wiped All Traces’ After £10m Bank Heist

A sophisticated heist that left India’s second-largest bank more than $13.5 million (£10.37m) out of pocket cannot yet be definitely linked to any particular hacking group because the thieves destroyed all traces of their activity, officials have said.

Security analysts have said the pattern of the theft, which hit 112-year-old Cosmos Bank earlier this month, makes it likely to have been carried out by the North Korean state-backed Lazarus hacking group.

But this can’t be accurately established due to the attackers’ use of anti-forensic tools, according to the special investigations group handling the case.

“They have wiped out all tracks, leaving no evidence; it’s well-planned,” Brijesh Singh, head of the unit set up by Maharashtra Police, told local media on Wednesday.

No traces

He said that as a result law enforcement agencies haven’t established a link to Lazarus or Cobalt, whose leader was arrested in Spain earlier this year.

The attack on Pune-based Cosmos Bank is the latest major theft making use of compromised back-end banking systems.

It was carried out over a period of four days, 10 to 13 August, and included two separate incidents, the theft of $11.5m via fraudulent ATM transfers and a fraudulent SWIFT transfer worth $2m.

The ATM transfers, over a period of seven hours on August 10-11, involved 2,849 domestic transactions and 12,000 international transactions using 450 cloned debit cards in 28 countries, security researchers said.

The SWIFT network was then used on 13 August to send three transfers worth a total of about $2m to Hang Seng Bank in Hong Kong.

Security firm Securonix said the hackers probably carried out an initial compromise of the bank’s systems, perhaps through a targeted phishing attack, as Lazarus has done in the past.

The hackers then compromised the bank’s ATM infrastructure, set up a malicious ATM switch and severed the genuine switch’s connection to the bank’s back-end systems.

Internal compromise

That meant the attackers were able to manipulate account balances and carry out the fraudulent transfers en masse, with the transfers being processed by the malicious switch.

The messages normally generated by any use of a payment card, called ISO 8583 messages, would as such never have been forwarded to the bank’s back-end systems.

The compromise was complete enough that the hackers were able to use the bank’s own SWIFT systems to send the three fraudulent transfers to Hong Kong, Securonix said.

“This was not the typical basic card-not-present (CNP), jackpotting or blackboxing fraud,” the firm said in its analysis. “The attack was a more advanced, well-planned, and highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance.”

Two years ago hackers stole $81m from the central bank of Bangladesh via the SWIFT network after compromising its internal systems.

The incident led SWIFT to introduce improved security measures.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Mozilla Drops ‘Do Not Track’ For Upcoming Firefox Browser

The forthcoming Firefox 13.5 will not include a 'do not track' option, as the opt-out…

28 mins ago

UN Body To Protect Subsea Cables Holds First Meeting

United Nations body to protect undersea communications cables that are crucial for international trade and…

17 hours ago

Meta Donates $1 Million To Donald Trump Inauguration Fund

Weeks after CEO Mark Zuckerberg met with Donald Trump privately at Mar-a-Lago, comes news of…

19 hours ago

US To Raise Tariffs On Chinese Solar Wafers, Polysilicon, Tungsten

Protecting American clean energy businesses. Biden administration plans to raise tariffs on certain Chinese products

19 hours ago

Australia To ‘Charge’ Tech Firms For News Content, After Meta Ends Licensing Deal

News fee. Australia looks introduce mandatory charge on social media platforms and search engines to…

20 hours ago