Case Study of COSMOS BANK Cyber Attack

Brief of the incidence:

A fraud was carried out at Pune cosmos bank, caused my malware attack on banks’ systems. INR
95 Cr (approx. $13.4 billion) was withdrawn from several ATMs placed all around the globe.
Transactions regarding the fraud took place between August 11 to August 13 and the attack by
the hackers originated in Canada. The embezzlement was done by a malware attack on the bank
servers and by cloning thousands of debit cards, said Mr. Milind Kale, Cosmos Bank Chairman.
Some payment experts theorize that the fraud involved breaching the firewall in the servers that
authorize ATM transactions. This meant that the ATMs were releasing money without checking
whether the cards were genuine or whether there was a bank account.
Consequence of attack:

The malware attack was done on the critical communication systems between the various
payment gateways after which an amount estimated to be INR 78 crore was withdrawn
“physically” through 12,000 ATM transactions outside India, while another 2,800 transactions
were made in different corners of the country, worth an estimated INR 2.5 crore. It was observed
that unusual repeated transactions were taking place through Visa and Rupay cards used at
various ATMs for nearly two hours. On August 13, INR 13.5 crore was transferred by the
hackers to the Hong Kong-based Hanseng bank, using the Society for Worldwide Interbank
Financial Telecommunication (SWIFT) facility. As a precautionary measure the bank had to
close all its servers and net banking facilities.
As per the payment settlement system, Visa and Rupay had raised demands for payment for all
of the fraudulent transactions and as per the agreement the bank had to pay a total amount of INR
80.5 Cr to them.
Regarding the transaction of transfer of money (INR 13.92 Cr) to a Hong Kong based bank, the
money was still in the banking channel so contact was made to the said bank in Hong Kong by
the Cosmos Bank personnel and they requested the said bank to withhold the money.
The bank had registered an FIR at the Chatushringi Police station in Pune city. A case was
registered under sections 43, 65, 66 C, and 66 D of the Information Technology Act 2000 and
relevant sections of Indian Penal code. A Special Investigation Team (SIT) was formed by the
Maharashtra police to probe the case.
Reasons of the attack:

Investigations showed that the cyber-criminals had made enough and extremely through
background surveillance of the cosmos banking infrastructure first. All the while the bank
officers may have ignored the alerts produced by the system for an unknown reason. The
researchers concluded that the heist would be very visible from the bank audit report generated
by the system itself.
Also a few days prior to the attack, the American FBI had warned banks of a major hacking
threat to ATMs worldwide and despite increased awareness and spend, organizations have
proven themselves largely unprepared for a more organized, strategic and persistent threat.
Technical Loopholes:
It has been stated that the bank may have failed to adequately invest in its SOC (Security
Operation Center), which should have analyzed the traffic coming in.
An analysis was made that the bank’s fraud detection mechanism was non- existent as there
should’ve been red alerts when so many overseas transactions were taking place at such a short
span of time.
However, in its statement the bank contended it had adequate IT security in place.
Results/Pending investigation:
The panel of experts appointed by the UN Security Council noted a trend in the Democratic
People’s Republic of Korea’s evasion of the financial sanctions of using cyber-attacks to
illegally force the transfer of funds from financial institutions and crypto currency exchanges and
also stated that the attack was “motivated” by North Korea.
The Special Investigating Team (SIT) had recovered INR 10.25 Cr that was lost in the heist as
was revealed on August 2018.
The Hong Kong based bank ‘Hang Seng bank’ also returned INR 5.72 Cr in the first installment
to Cosmos bank. The police also recovered INR 4 Lakh from genuine Cosmos cardholders, who
had visited ATMs when the malware was active and withdrew more money than their account
balance.
The cyber-crime cell and the Pune police managed to refund the money to the victims. This
action was initiated when the victims who had lost their money had approached the cyber-crime
cell.
The cyber cell got in touch with the law enforcement agencies of the 28 countries (including The
United Kingdom, United States, United Arab Emirates, Canada and more) for further action.
The Pune Police and the Maharashtra Cyber Cell probing the case are yet to trace the mastermind
in the case. As until 19 September 2019, 18 people were arrested by a special investigation team
of the Pune Police. The local module busted by the police could be “money mules” — people
who serve as intermediaries for criminals and criminal organizations — acting on behalf of
operators abroad.
In a 378-page report by the SIT committee it was stated that “The attack was a more advanced...
and highly coordinated operation that bypassed three main layers of defense contained in
International Criminal Police Organization (INTERPOL) banking/ ATM attack mitigation
guidance”. The report further added “Not only were the actors able to compromise the SWIFT
network...to transfer the funds to other accounts, but they simultaneously compromised internal
bank processes to bypass transaction verification procedures and order worldwide transfers to
almost 30 countries where funds were physically withdrawn by individuals in more than 10.000
separate transactions over a weekend”
Impact on the business of the bank:
The bank was neither penalized for its weak cyber-security nor has anyone been held
accountable. This highlights the need for RBI to enforce its cyber guidelines for cooperative
banks as strictly as it has for commercial banks. Extensive audit reports had been called for.
The bank's annual report reported total amount involved in the attack to be INR 100. 22 crore,
including exchange loss on payment settlement. That was not the only impact. The bank says
that “the cyber-attack and restoration of payment systems back to normalcy caused an impact on
the customers and their transactions.
Timeline of refund by Pune police:
  January 2020 Rs 8.37 lakh
 February 2020 Rs 5.98 crore
 March 2020 Rs 27.25 lakh
 April 2020 Rs 50.52 lakh

1. Yahoo Data Breach

The Yahoo data breach broke all records of data theft in the history of cyber
crimes. Yahoo found itself at the target point of hackers not once but twice as
it came to terms with more than 3 billion user accounts being stolen! This
incident put personal information such as name, phone number, email ID and
passwords of 3 billion users out in the open! And the mystery continues till
date as Yahoo struggles to find how this data breach was initiated and
executed.

2. The Logic Bomb

Considered as one of the most devastating attacks in the history of cyber
crimes, the aftermath of this logic bomb was way beyond a monetary tally. It
involved the Americans embedding a piece of code to the Russians during the
cold war of 1982. Once this code which was used to control a pipeline for
transporting natural gas from Siberia was activated, it caused an explosion so
strong that it could be seen even through space!

3. Ransomware WannaCry
Midway through 2017, the United Kingdom fell prey to one of the most
devious cyber attacks it had ever faced – ransomware WannaCry. Delivered
as an email attachment virus, it locked up all files in an MS Windows powered
system, eventually demanding a ransom for unlocking them. Having started
as an attack on their NHS computer system, the ransomware had slowly
brought systems from the UK to the US and from Russia to China to their
knees. As many as 300,000 computers over 150 countries were infected by
WannaCry.

4. Petya / NotPetya / Nyetya / Goldeneye

The world had barely recovered from the impact of WannaCry when another
wave of ransomware infections was unleashed onto networks all around the
globe. Called Petya, NotPetya and by a few other names, it hit networks
across multiple countries, the notables ones being the US pharmaceutical
company Merck, Danish shipping company Maersk, and Russian oil giant
Rosneft. Research has revealed that this ransomware attack was actually
intended to mask a targeted cyber attack against Ukraine. It was aimed at
Ukrainian infrastructures such as power companies, airports, the central bank
and public transit. The attack was able to facilitate payment processing on a
large scale for criminals, an illicit bitcoin exchange and money laundering
across 75 shell companies and accounts globally.

5. Sony Pictures
In 2011, Sony’s data storage was hacked exposing the records of over 100
million customers using their PlayStation’s online services. What was
shocking was that the hackers had access to all the credit card information of
users apart from personal details! This data breach cost Sony over 171 million
USD.

6. Epsilon
Epsilon – one of the world’s largest email marketing service provider handling
more than 40 billion emails and more than 2200 global brands landed up in a
soup when hackers stole details belonging to more than 50 of their clients,
including some top banks and retail giants! This data breach which was
executed as a phishing email cost Epsilon over 4 billion USD.
7. LinkedIn Hacking
Social networking website LinkedIn fell prey to a hack executed by
Russian cyber criminals who stole the passwords of nearly 6.5 million user
accounts. Soon these stolen passwords were made available in plain text on a
Russian password forum! Adversity struck again when LinkedIn discovered in
May 2016 that an additional 100 million compromised email addresses and
passwords that were claimed to be from the 2012 breach, were released into
the hacker forum. Some tech news reports have revealed that hackers were
trying to sell this information on a darknet market for around $2200 each!

8. JP and Morgan Chase & Co

 In 2015, the accounts of 76 million households and 7 million small
businesses associated with JPMorgan Chase were compromised in what the
hackers described as “one of the largest thefts of financial-related data in
history”. The hackers then sold these personal data to a larger network of
accomplices. Investigations later revealed that apart from personal data, the
hackers also stole their business-critical data which enabled them to
manipulate the company’s stock prices and make illicit financial profits.

9. Hannaford Bros. 
Hannaford, a supermarket chain with stores located mainly on the east coast
of the US, fell prey to a security breach that exposed more than 4 million credit
card numbers, leading to about 1800 cases of fraud in the year 2008. Having
affected nearly 200 of its stores, the breach cost Hannaford over 250 million
USD!

10. Citibank 
The year 1995 saw Citibank in a string of slander when a criminal ringleader,
Vladimir Levin, hacked the bank and illicitly transferred about 3.7 million USD
into the bank accounts of his criminal organization. He executed this well-
planned hack by using a computer that was based in London and a list of
customer codes and passwords. He was finally tracked down by the FBI at a
London airport.

Let us stay vigilant enough to not let history repeat itself!

Thus, one should always remember that susceptibility of an organization or

individual to cyber crimes is not an IT problem. The 2016 global economic
crime survey has revealed the disheartening fact that most organizations
bluntly leave the first response to a data breach on their IT teams without
sufficient support or involvement of the senior management and other
significant contributors. Additionally, the composition of these response
teams is often not up to the mark, which ultimately affects the organization’s
cyber security management.

Incognito Forensic Foundation (IFF Lab) which is headquartered in Chennai,

India, has a state-of-the-art digital forensic lab and is replete with forensic
experts adept at investigating cases of cyber crimes, data breach, identity
theft and the like. They also provide services and solutions for an
organization’s cyber and data security analysis and management.