A sophisticated heist that left India’s second-largest bank more than $13.5 million (£10.37m) out of pocket cannot yet be definitely linked to any particular hacking group because the thieves destroyed all traces of their activity, officials have said.
Security analysts have said the pattern of the theft, which hit 112-year-old Cosmos Bank earlier this month, makes it likely to have been carried out by the North Korean state-backed Lazarus hacking group.
But this can’t be accurately established due to the attackers’ use of anti-forensic tools, according to the special investigations group handling the case.
“They have wiped out all tracks, leaving no evidence; it’s well-planned,” Brijesh Singh, head of the unit set up by Maharashtra Police, told local media on Wednesday.
He said that as a result law enforcement agencies haven’t established a link to Lazarus or Cobalt, whose leader was arrested in Spain earlier this year.
The attack on Pune-based Cosmos Bank is the latest major theft making use of compromised back-end banking systems.
It was carried out over a period of four days, 10 to 13 August, and included two separate incidents, the theft of $11.5m via fraudulent ATM transfers and a fraudulent SWIFT transfer worth $2m.
The ATM transfers, over a period of seven hours on August 10-11, involved 2,849 domestic transactions and 12,000 international transactions using 450 cloned debit cards in 28 countries, security researchers said.
The SWIFT network was then used on 13 August to send three transfers worth a total of about $2m to Hang Seng Bank in Hong Kong.
Security firm Securonix said the hackers probably carried out an initial compromise of the bank’s systems, perhaps through a targeted phishing attack, as Lazarus has done in the past.
The hackers then compromised the bank’s ATM infrastructure, set up a malicious ATM switch and severed the genuine switch’s connection to the bank’s back-end systems.
That meant the attackers were able to manipulate account balances and carry out the fraudulent transfers en masse, with the transfers being processed by the malicious switch.
The messages normally generated by any use of a payment card, called ISO 8583 messages, would as such never have been forwarded to the bank’s back-end systems.
The compromise was complete enough that the hackers were able to use the bank’s own SWIFT systems to send the three fraudulent transfers to Hong Kong, Securonix said.
“This was not the typical basic card-not-present (CNP), jackpotting or blackboxing fraud,” the firm said in its analysis. “The attack was a more advanced, well-planned, and highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance.”
The incident led SWIFT to introduce improved security measures.