In the wake of recent cyber heist carried out by attackers on Cosmos Cooperative Bank in August 2018, it is necessary to understand the history and anatomy of such attacks which are no longer far and between and hence unignorable.
Government infrastructure, banks and other entities are very closely associated with the financial well being of a nation, and are attractive targets for the attackers for the same reason. Another reason of course is MONEY.
It has been observed in the recent past that these type of attacks, specifically on banks, have become horrifyingly common place, leaving the consumers feeling highly insecure. This paper attempts to understand some subtle and some not-so-subtle reasons behind the Cosmos bank case. Although a lot of content in this paper is based on the news articles published in this regard till date (sources credit in the end section), some of it is speculation to fill in the gaps where the facts are still unknown/undisclosed.
A look at the available history of similar cyber heists carried out against banks is a reasonable way to understand a trend that is soon threatening to become an epidemic in the banking world. These are sure to give bankers in decision making positions countless sleepless nights, understandably so since they are custodians of their customers’ hard earned money. Not to mention the general mayhem and bad PR that comes with this.
Here are some of the very recent cases of such attacks on banks.
In Feb 2016, $81 million was siphoned off of the Central bank of Bangladesh. The attackers were able to compromise the bank’s SWIFT operations. The attackers were clever enough to time the heist with the weekend in the U.S. This resulted in delayed action from SWIFT and New York Fed and it wasn’t until Monday the 8th of February 2016 that they could get any assistance.
The National Bank of Blacksburg, in May 2016, fell victim to a phishing malware attack leading to compromise of multiple computers in the bank’s network. Eventually attackers would disable/alter critical anti-theft and anti-fraud parameters. Hundreds of ATMs across North America were used and more than US$569000 were stolen over the 3 days.
What’s to be noted here is that this attack took place over a long weekend.
Just eight months later, between January 7 and 9 2017 a similar albeit more elaborate heist resulted in a total of US$1,833,984 was stolen. In this heist the hackers also managed to erase all tracks that could have lead to them. Again, it should be noted that this attack too was carried out over the weekend.
As recently as December 2017, it emerged that hackers had attempted to siphon off nearly US$1 million from Russian state-run bank Globex by funneling the money away via fraudulent SWIFT transactions. The robbery was largely thwarted, however, and only US$100,000 is believed to have been
Cosmos Co-operative Bank Ltd is a 112 year old bank is one of the oldest cooperative banks in India, headquartered in Pune, Maharashtra. It is one of the first co-operative banks in the country to implement Core Banking System (CBS) across the entire network of its then 140 service outlets using Finacle-Infosys Core Banking Software. The Cosmos Bank is operative in 7 States of India, viz., Maharashtra, Gujarat, Madhya Pradesh, Karnataka, Andhra Pradesh, Telangana and Tamil Nadu through its 140 branches. Bank has more than 2 Millions customers and 79,000 shareholders. Their revenue is upwards of USD 1.9 billion.
On August 11 and 13 2018, a group of international hackers broke into the servers of the Bank. Total money stolen was Rs 94 crore.
Cosmos Bank gave a statement saying none of their customer accounts were found to be debited. What is noteworthy is that Cosmos Bank did not get any alert from their core banking system (CBS). It was VISA and SWIFT who alerted the bank about the suspicious transactions, after which the police were informed on August 13, 2018. Here is the timeline of how the events unfolded.
As is evident from the above timeline, the attack was carried out over a weekend . This seems to be consistent with the Modus Operandi of the attackers in similar cases from the recent past.
Although nothing can be said with certainty as of now, it is being speculated that the North Korean state-sponsored threat group, Lazarus is behind this attack. However, as per our research, there has been no conclusive evidence to indicate this. Additionally, there is no visible chatter about the Cosmos Bank heist on the dark web.
Having said this, it cannot be denied that the Lazarus group could have spawned copycats in the hacker community leading to a similar M.O. The attack bears signature of the Lazarus Group that includes the use of Windows Admin Shares for lateral movement, custom Command and Control (C2) that mimics TLS, adding new services on targets for persistence, Windows Firewall changes and a number of other techniques.
The Bangladesh bank heist has been attributed to the Lazarus group. Here is a brief history and evolution of Lazarus.
The main objective of this paper is to come up with a comprehensive list of Dos and Don’ts that will help banks to avoid these type of situations in the future.
This measure, although probably the most basic, is also the most overlooked one. The reasons for this range from sheer negligence to business department’s reluctance to allow a downtime.
The amount of attention that the test infrastructure gets is extremely wanting. The UAT systems usually are unpatched and at the same time connected to the production systems leading to a potentially dangerous vulnerability. It is highly recommended that the test systems are patched and protected to avoid opening weaknesses in the system.
Application whitelisting should be introduced into critical bank servers. This will prevent attackers from installing their remote control tools, monitoring financial transactions, and escalating privileges. It also helps to identify unauthorized attempts to run such malicious applications.
As an additional defense layer, the network can be configured to allow only certain connections to ensure that only applications that are supposed to communicate with each other do so.
Continuous monitoring and regular analysis of network traffic goes a long way in preventing nasty outcomes. In the case where the bank lacks this expertise it is highly recommended that it looks for external expert assistance. This is no longer a matter of choice on the bank’s part.
Having said that, it is important for the banks to understand that outsourcing the monitoring and analysis does not absolve them from the responsibility. Banks should constantly be in touch with the monitoring service providers, understand the threats and take the appropriate corrective and/or preventive measures.
Almost all bank heists seem to have started with an unaware or careless employee clicking on a malicious link.It is highly evident in all the bank heists that the people awareness factor played probably the most important part. User trainings on phishing and other social engineering tactics is a must, no matter how repetitive or boring it is for the employees. Constant reminders about being wary of genuine seeming emails asking for sensitive information or asking the reader to click on links.
It should be borne in mind at all times that the phishers are getting cleverer and more and more sophisticated by the day.
It is worth noting here that the attacks were executed over a weekend and the alerts that otherwise would have been attended to, went completely unnoticed. Banks have to start being extra vigilant over holidays.
Banks should keep an eye out for advisories and tips released by SWIFT from time to time, in the restricted customer section of its main website.
Finally, let’s conclude with various measures that the FBI suggested in their warnings to the banks globally: