Pmstudyprocesschart Formula

BAE SYSTEMS PROPRIETARY / TLP – AMBER
INTEL – 2018-08-20
India’s CosmosBank heist

BACKGROUND
BAE SYSTEMS PROPRIETARY / TLP – AMBER. This report and contents have been provided for distribution within your organisation only
On 13 August news broke of a cyber-attack at Cosmos Bank, the second-biggest co-operative bank in India, in which
attackers had moved 94 Crore ($13.5m USD) through ATMs in 28 countries as well as through unauthorised SWIFT
transactions.1 Over the course of just a few hours on Saturday 11 August, the group co-ordinated almost 15,000
transactions to cash out funds through ATMs worldwide using compromised VISA and Rupay cards. Two days later the
attackers made further fraudulent transactions through the banks interface to the SWIFT messaging system.
In this report we review the timeline of the attack, along with an explanation of how the culprits were able to manipulate
the authorisation process for ATM withdrawals. Finally, we cover the links to the Lazarus group and comment on
evidence of their efforts to diversify their bank heist techniques.
ANALYSIS
Attack Timeline
Figure 1: Timeline of Cosmos attack
On 9 August, the FBI released an alert on imminent and “unlimited” cash out operation.2 The use of ATM withdrawals to
access stolen funds is a technique that has already been used by several groups including the Cobalt Gang, but at the
time there was no linkage between the unlimited cash-out and upcoming Cosmos breach.3
The bank’s chairman later said at a press conference that 12,000 ATM withdrawals on 11 August took place in a two-
hour and 13-minute window across 28 countries, pointing to a large and organised group of participants. Attackers
reportedly obtained nine years of information on Visa and Rupay cards.4 This allowed them to create cloned cards that
were then used to withdraw amounts ranging from $100 to $2,500.5
1
https://indianexpress.com/article/cities/pune/cyber-attack-on-pune-based-co-op-bank-rs-94-crore-siphoned-off-by-hackers-5305646/
2
https://krebsonsecurity.com/2018/08/fbi-warns-of-unlimited-atm-cashout-blitz/
3
TI_18045_RR_Cobalt_Gang_Mules
4
https://timesofindia.indiatimes.com/city/pune/cosmos-bank-data-from-9-years-compromised-in-rs-94-42cr-
heist/articleshow/65456374.cms
5
https://www.computing.co.uk/ctg/news/3061187/atm-hackers-steal-usd135m-in-28-countries-from-indias-cosmos-bank-just-days-
after-fbi-warning
Page 1 of 5
INTEL – 2018-08-20
Visa cards were used around the world to withdraw 78 crore, while compromised Rupay card details were used for a
smaller operation between 3pm and 10pm to take 2.5 crore from machines in the Indian cities of Pune, Mumbai,
Kolhapur and Indore.6
Two days later, on 13 August, the attackers made three transfers worth 13.9 crore through the SWIFT interbank network
to ALM Trading Limited in Hong Kong.
The police began investigating the incident on the 14 August after contact from Cosmos.
As a result of the attack/precaution of further damage, Cosmos took some of its services offline. Its online banking page
remains down even after 9 days, as shown below. It is not known whether this is a precautionary measure or as a result
of destruction of systems, as has been used by the attackers in other recent cases.
Figure 2: Cosmos online banking portal down for maintenance
ATM Cashing-out
The picture of how exactly the manipulation of the bank occurred to release funds via ATMs is still not fully understood.
However, by piecing quotes from representatives of Cosmos Bank and the police investigators responding to the
incident, we have generated a plausible technique that the attackers may have used. This is explained with the diagram
below:
6
https://www.moneycontrol.com/news/technology/cosmos-bank-hack-money-withdrawn-from-four-cities-say-cops-2858101.html
Page 2 of 5
BAE SYSTEMS PROPRIETARY / TLP – AMBER. This report and contents have been provided for distribution within your organisation only INTEL – 2018-08-20
Figure 3: How a malicious ATM transaction could work
The transaction follow is described below:
Step Description
A money mule is provided a cloned card which is inserted into the ATM.
It is currently unclear how the attackers gained the card details, however if the attackers have been in
the network for sufficient time to do reconnaissance and identify systems where this data is stored,
then they may well have obtained it directly. This is further backed up by reporting which states the
attackers obtained nine years of information on Visa and Rupay cards.7
With the card inserted into the ATM, the machine connects to the Transaction Processor and transmits
the card and transaction information along with the PIN number associated with the card.
If the ATM doesn’t belong to the issuing bank, it will go through the interchange network to the
transaction processor associated with the issuing bank (in this case Cosmos Bank).
India’s major ATM system runs through a National Financial Switch (NFS), run by the National
Payments Corporation of India (NPCI), which connects ATM switches to other member banks.8 This
likely plays part of the role of the interchange network within India. There is no evidence that this has
been breached in this attack, but there remains a possibility it could have been compromised too.9
Details of the requested transaction are sent to the core banking services within the issuing Bank
(Cosmos).
7
8
https://www.npci.org.in/sites/default/files/NFS%20Operating%20and%20Settlement%20Guidelines.pdf
9
https://www.businesstoday.in/sectors/banks/cosmos-bank-atm-fraud-npci-says-its-systems-fully-secure/story/281344.html
Page 3 of 5
INTEL – 2018-08-20
Step Description
Authorisation request enters the bank, however attackers appear to have compromised the regular
routing of the authorisation away from the normal authorisation server to an attacker controlled virtual
server. This is reportedly done by creating or manipulating a proxy within the bank.10 The attacker
controlled authorisation service is then able always provide authorisation.
Reports also state that if the real authorisation server had received the requests, it would have alerted
the officials at the bank – likely through fraud detection systems.
Cosmos uses BPC’s Smartvista ATM switch, having upgraded in late 2015 from its Electra equipment.11
Its core banking system, meanwhile, has run on IBM’s Power 7 equipment since 2011.12 However it is
not understood if any of these components were manipulated in this attack.
The attacker created authorisation is passed back to the transaction processor.
The attacker created authorisation is passed back to the ATM
ATM provides cash out to mule.
SWIFT Cash-out
On 13 August 2018, two days after the attackers facilitated the cash out via ATMs, the attackers were able to make three
transactions totalling 13.9 crore ($2m USD) through their SWIFT payment interface. The funds were sent to ALM Trading
Limited in Hong Kong.
ALM Trading Limited was registered in Hong Kong on 13 April 2018, registration number 2680374. It has no obvious
web presence and the ALM name is shared with numerous companies in various sectors around the world, making it
difficult to find signs of its activities, legitimate or otherwise.
Attribution
Through our analysis of the Lazarus Catch22 implant and identifying associated C&C servers, we were able to identify
persistent connections from Cosmos Bank to Lazarus C&C infrastructure. Below is a summary of the connections
observed:
Victim IP C&C IP First Seen Last Seen

115.113.145.77 180.235.132[.]230 05/06/2018 11/06/2018
115.113.145.77 116.50.36[.]136 06/06/2018 25/06/2018
115.113.145.77 176.104.107[.]235 06/06/2018 29/06/2018
115.113.145.77 5.135.193[.]141 18/07/2018 28/07/2018
115.113.145.77 23.227.199[.]114 30/07/2018 02/08/2018
The bank had been warned on multiple occasions over recent months of the Lazarus activity on their network, but failed
to act.
Whilst we can’t currently say for certain that Lazarus were behind both the ATM activity and fraudulent SWIFT
messages, at the moment they appear to be the most likely culprit.
10
11
https://www.cosmosbank.com/wp-content/uploads/2017/09/CosmosAnnualReport201617web.pdf
12
https://www.computerweekly.com/news/2240034559/Power-7-gives-Cosmos-Bank-threefold-performance-bump
Page 4 of 5
INTEL – 2018-08-20
India - hot spot for bank intrusions

We have previously reported on how India’s banks have become a significant target for criminal groups.13 City Union
Bank suffered a breach in February that allowed $1 million to be transferred to a Chinese institution through the SWIFT
network. The attackers had tried to make three transactions totalling $2 million, sending money to Dubai and Turkey,
but were thwarted by City Union and the correspondent bank on the receiving end of the transfer.14
An earlier attempt to steal funds from an Indian bank through SWIFT was made in July 2016, when Union Bank of India
halted a $170 million transfer to private accounts in five locations (Thailand, Cambodia, Australia, Hong Kong and
Taiwan).15
We found further signs of activity by Lazarus in India in May 2018, when our initial investigations into the Catch22
infrastructure led to evidence of the attackers within Corporation Bank in India.16
CONCLUSIONS
The recent heist at Cosmos Bank looks almost certainly the work of the Lazarus threat group. Whilst the attempted
money transfers via SWIFT are typical of the group’s techniques, it is the cashing out of stolen funds via compromised
bank cards and a web of ATM mules in 28 countries that is novel and concerning.
Whilst new, there has been evidence of Lazarus performing reconnaissance on ATM infrastructure in compromised bank
networks in recent months – so the intent has been evident previously, though this is the first confirmed case of an
actual heist.
In our assessment, the Lazarus actors are working hard to diversify their capability for conducting large scale fraud
against the financial system. Use of local criminals and money mules has been seen before; though pulling off ATM card
based cash-outs on a large scale brings a new avenue for exploiting compromised banks. Laundering funds stolen
through fraudulent SWIFT messages has never been particularly reliable for the group, hence the need for new
approaches. Nonetheless this case shows they have not completely turned away from targeting SWIFT systems yet.
Indian banks have seen a significant number of attacks of this nature to-date, and will likely continue to be a focus for a
range of criminal groups. While the banks are already on notice from regulators to tighten access to SWIFT, this latest
case will doubtless focus minds further.
RECOMMENDATIONS
The FBI’s notice on an imminent ATM cash-out, which was sent to banks privately but has been summarised online,17 is
essential reading for institutions preparing for such an incident. It notes that virtually all cash-outs take place over the
weekend, taking advantage of regular closures when fewer staff are around to notice anomalies.
Some of the recommendations include:
• Strong password requirements & two-factor authentication,

• separation of duties for large increases in balances or withdrawal limits,
• application whitelisting to block malware execution,
• monitoring of business-critical account use, remote network tools on the network, encrypted traffic over non-
standard ports, and traffic to unexpected regions.
13
TI_18022_RR_Indian_bank_attacks
14
https://uk.reuters.com/article/us-city-union-bank-swift/indias-city-union-bank-ceo-says-suffered-cyber-hack-via-swift-system-
idUKKCN1G20AF
15
https://thewire.in/banking/cyberthieves-nearly-stole-170-million-union-bank-india
16
TI_18050_RR_Lazarus_Catch22_banking_backdoor
17
https://krebsonsecurity.com/2018/08/fbi-warns-of-unlimited-atm-cashout-blitz/
Page 5 of 5

Pmstudyprocesschart Formula

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Pmstudyprocesschart Formula

Transféré par

Droits d'auteur :

Formats disponibles

BAE SYSTEMS PROPRIETARY / TLP – AMBER

India’s CosmosBank heist

Figure 1: Timeline of Cosmos attack

Figure 2: Cosmos online banking portal down for maintenance

Figure 3: How a malicious ATM transaction could work

The transaction follow is described below:

controlled authorisation service is then able always provide authorisation.

The attacker created authorisation is passed back to the transaction processor.

The attacker created authorisation is passed back to the ATM

ATM provides cash out to mule.

Victim IP C&C IP First Seen Last Seen

India - hot spot for bank intrusions

Some of the recommendations include:

• Strong password requirements & two-factor authentication,

Vous aimerez peut-être aussi