Cosmos Bank SWIFT/ATM US$13.5 Million Cyber Attack Detection Using Security Analytics
Cosmos Bank SWIFT/ATM US$13.5 Million Cyber Attack Detection Using Security Analytics
Cosmos Bank SWIFT/ATM US$13.5 Million Cyber Attack Detection Using Security Analytics
COSMOS BANK
SWIFT/ATM US$13.5
MILLION CYBER
ATTACK DETECTION
USING SECURITY
ANALYTICS
Oleg Kolesnikov,
Securonix Threat Research Team
Figure 1: Cosmos Bank in India US$13.5 Million SWIFT/ATM Cyber Attack of August 2018 [1]
Introduction
The Securonix Threat Research team recently learned of a new high-profile cyber attack
targeting SWIFT/ATM infrastructure of Cosmos Bank (COSDINBB), a 112-year old
cooperative bank in India and the second largest in the country, resulting in over US$13.5
million stolen [1,2].
Below is a summary of what we currently know about this high-profile attack and
recommended Securonix predictive indicators and security analytics to increase your
chances of detecting such attacks targeting financial services/SWIFT.
3
• After making adjustments to the target account balances to enable withdrawals,
MC was then likely used in fake “*on-us,” foreign-to-EFT, standing-in, etc. activity that
enabled the malicious threat actor to authorize ATM withdrawals for over US$11.5
million in 2849 domestic (Rupay) and 12,000 international (Visa) transactions using 450
cloned (non-EMV) debit cards in 28 countries.
• Using MC, attackers were likely able to send fake Transaction Reply (TRE) messages
in response to Transaction Request (TRQ) messages from cardholders and terminals.
As a result, the required ISO 8583 messages (an international standard for systems
that exchange electronic transactions initiated by cardholders using payment cards)
were never forwarded to the backend/CBS from the ATM/POS switching solution that
was compromised, which enabled the malicious withdrawals and impacted the fraud
detection capabilities on the banking backend.
Based on our experience with real-world attacks involving ATM and SWIFT, following the
initial compromise, attackers most likely either leveraged the vendor ATM test software
or made changes to the currently deployed ATM payment switch software to create a
malicious proxy switch.
As a result, the details sent from payment switch to authorize transaction were never
forwarded to CBS so the checks on card number, card status (Cold, Warm, Hot), PIN, and
more were never performed. Instead, the request was handled by the MC deployed by the
attackers sending fake responses authorizing transactions.
In addition to the ATM and SWIFT monitoring, this attack likely involved a significant number
of common cyber attack behaviors while the required malicious infrastructure needed to
execute the attack was developed and stood up. As mentioned, this high-profile SWIFT/
ATM banking attack is currently attributed to Lazarus Group/nation-state-sponsored actor/
DPRK. Specifically some of the attack techniques commonly used by the threat actor
include: use of Windows Admin Shares for Lateral Movement, using custom Command
and Control (C2) that mimics TLS, adding new services on targets for Persistence,
Windows Firewall changes, Timestomping, Reflective DLL Injection, and a number of other
techniques (see https://attack.mitre.org/wiki/Group/G0032 for more details).
5
Based on the details above, this attack is a good example of the fact that, while ATM and
SWIFT transaction monitoring is important, it often is not enough, and may only give you 10-
20% of the required detection coverage. In order to detect modern threat actors targeting
banks, in addition to automatically baselining transactions, it is critical to also have the ability to
monitor and baseline the behavior of your users, your systems, and your networks to detect
anomalies (often 70-80%+ of success), and then connect all of the dots properly to detect an
attack in progress.
Taking into account our expertise and the known techniques used by the threat actors
attributed to the attack, particularly Lazarus Group, some high-level examples of the relevant
Securonix behavior analytics/predictive indicators that could help detect such attacks in your
banking environment include:
• Suspicious Network Activity – Rare Outbound Network Connection For Host Analytic
(This can be used to help detect attack activity associated with the compromised ATM
switch.)
• Suspicious ATM Activity – Peak *On-Us Transaction Volume For PAN Analytic
• Suspicious ATM Activity – Amount – Unusual Foreign Cash-out Volume Analytic
• Suspicious Transaction Activity – Targeted – Cash Withdrawal Limit Elimination Analytic
– Malicious threat actors manually changing cash withdrawal limits
• Suspicious Process Activity – Rare Scheduled Task For Host Analytic (This is an
example that can be used to detect one of the common techniques leveraged by
Lazarus Group to which the attacks were attributed.)
• Suspicious Process Activity – Targeted – Executable File Creation Analytic
7
References
[1] Gitesh Shelke. Cosmos Bank Data From 9 Years Compromised. Times of India. 19
August 2018. https://timesofindia.indiatimes.com/city/pune/cosmos-bank-data-from-9-
years-compromised-in-rs-94-42cr-heist/articleshow/65456374.cms.
Last Accessed: August 20, 2018
[2] Penny Crossman. An ATM attack the FBI warned of came to pass. Expect more.
American Banker. 22 August 2018. https://www.americanbanker.com/news/an-atm-
attack-the-fbi-warned-of-came-to-pass-expect-more?feed=00000158-babc-dda9-adfa-
fefef5720000. Last Accessed: August 22, 2018
[3] Graeme Burton. ATM hackers steal $13.5m in 28 countries from India’s Cosmos Bank
– just days after FBI warning. 15 August 2018. https://www.computing.co.uk/ctg/
news/3061187/atm-hackers-steal-usd135m-in-28-countries-from-indias-cosmos-bank-
just-days-after-fbi-warning. Last Accessed: August 28, 2018
[4] ET Online. North Korean connection to Cosmos hacking? Signs point to Bangladesh
heist masterminds. 15 August 2018. https://economictimes.indiatimes.com/industry/
banking/finance/banking/north-korean-connection-to-cosmos-hacking-signs-point-to-
bangladesh-heist-masterminds/articleshow/65411640.cms.
Last Accessed: August 28, 2018
[5] Geetha Nandikotkur. Information Security Media Group. Cosmos Bank Heist: No
Evidence Major Hacking Group Involved. August 29, 2018. https://www.inforisktoday.
in/cosmos-bank-heist-no-evidence-major-hacking-group-involved-a-11435.
Last Accessed: August 28, 2018
[6] Trend Micro. A Look into the Lazarus Group’s Operations. January 24, 2018. https://
www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-
the-lazarus-groups-operations. Last Accessed: August 28, 2018
CONTACT SECURONIX
www.securonix.com
[email protected] | (310) 641-1000
0818