Categories: SecurityWorkspace

Hackers ‘Wiped All Traces’ After £10m Bank Heist

A sophisticated heist that left India’s second-largest bank more than $13.5 million (£10.37m) out of pocket cannot yet be definitely linked to any particular hacking group because the thieves destroyed all traces of their activity, officials have said.

Security analysts have said the pattern of the theft, which hit 112-year-old Cosmos Bank earlier this month, makes it likely to have been carried out by the North Korean state-backed Lazarus hacking group.

But this can’t be accurately established due to the attackers’ use of anti-forensic tools, according to the special investigations group handling the case.

“They have wiped out all tracks, leaving no evidence; it’s well-planned,” Brijesh Singh, head of the unit set up by Maharashtra Police, told local media on Wednesday.

No traces

He said that as a result law enforcement agencies haven’t established a link to Lazarus or Cobalt, whose leader was arrested in Spain earlier this year.

The attack on Pune-based Cosmos Bank is the latest major theft making use of compromised back-end banking systems.

It was carried out over a period of four days, 10 to 13 August, and included two separate incidents, the theft of $11.5m via fraudulent ATM transfers and a fraudulent SWIFT transfer worth $2m.

The ATM transfers, over a period of seven hours on August 10-11, involved 2,849 domestic transactions and 12,000 international transactions using 450 cloned debit cards in 28 countries, security researchers said.

The SWIFT network was then used on 13 August to send three transfers worth a total of about $2m to Hang Seng Bank in Hong Kong.

Security firm Securonix said the hackers probably carried out an initial compromise of the bank’s systems, perhaps through a targeted phishing attack, as Lazarus has done in the past.

The hackers then compromised the bank’s ATM infrastructure, set up a malicious ATM switch and severed the genuine switch’s connection to the bank’s back-end systems.

Internal compromise

That meant the attackers were able to manipulate account balances and carry out the fraudulent transfers en masse, with the transfers being processed by the malicious switch.

The messages normally generated by any use of a payment card, called ISO 8583 messages, would as such never have been forwarded to the bank’s back-end systems.

The compromise was complete enough that the hackers were able to use the bank’s own SWIFT systems to send the three fraudulent transfers to Hong Kong, Securonix said.

“This was not the typical basic card-not-present (CNP), jackpotting or blackboxing fraud,” the firm said in its analysis. “The attack was a more advanced, well-planned, and highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance.”

Two years ago hackers stole $81m from the central bank of Bangladesh via the SWIFT network after compromising its internal systems.

The incident led SWIFT to introduce improved security measures.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Gloucester City Council Confirms ‘Cyber Incident’

Council IT services hit by so called 'sleeper' malware, with media reports pointing the finger…

16 hours ago

Gigabyte Broadband Pledge At Risk, Warns Spending Watchdog

UK pledge to close the digital divide of broadband services for urban and rural customers…

18 hours ago

UK To Address Marketing Of High Risk Crypto Investments

British financial watchdog says it will curb the marketing of cryptoassets and other high-risk investments,…

21 hours ago

Tesla Driver Charged With Manslaughter After Autopilot Crash

Criminal charges for the first time in fatal crash involving Tesla's Autopilot, as driver is…

22 hours ago

Airport 5G Towers Switched Off In Temporary Aviation Compromise

AT&T and Verizon agree to temporarily switch off 5G towers near certain airports, as operators…

23 hours ago