North Korean APT hackers group Lazarus attempting high profile SWIFT/ATM Attack on Cosmos Bank in India and stolen over US$13.5( INR 78 Crore) million.

Cosmos Bank is one of the second largest banks in India, it’s a 112-year-old cooperative bank and the bank is headquartered in Pune India.

Cyber Criminals targeted the bank’s ATM switch server SWIFT system via Malware infection and stole details of VISA and Rupay ATM cards on August 11 and 13.

In this case, Attackers have withdrawn Money “physically” from 28 countries including the UK, USA, Russia and the UAE using cloned ATM cards.

This is one of the well-planned and more advanced cyber Attack with a highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance.

According to Jyotipriya Singh, Cybercrime DCP, The hackers must have done some kind of “recce” (study) of the bank’s system, “We suspect that the bank must have received some sort of alerts before the attack and we are waiting for the security audit report from the bank,”

How Did Hackers Compromise the ATM/SWIFT System

Attackers Intially using multiple targeted malware to breaking the connection between the Central and the backend/Core Banking System along with malicious ATM/POS switch in order to compromise an ATM Modality.

Once hackers take over the existing Central using Malicious Central, they make changes to the target account balances and enable the withdrawals such as foreign-to-EFT, standing-in, etc.

After these changes in ATM Modality, threat actor authorize to access the ATM and withdrawals for over US$11.5 million in 2849 domestic (Rupay) and 12,000 international (Visa) transactions using 450 cloned (non-EMV) debit cards in 28 countries.

Apart from this, attackers able to send fake Transaction Reply (TRE) using malicious-Central (malicious ATM/POS switch) and also it enables the malicious withdrawals and impacted the fraud detection capabilities on the banking backend.

Attack Continuity to SWIFT Modality

Later attacker moving into Cosmos Bank SWIFT and compromise it by sending three malicious MT103 to ALM Trading Limited at Hang Seng Bank.

Unlike other SWIFT and ATM attacks such as card-not-present (CNP), jackpotting, or blackboxing fraud, it is one of the most advanced attacks.

According to securonix, Based on our experience with real-world attacks involving ATM and SWIFT, following the initial compromise, attackers most likely either leveraged the vendor ATM test software or made changes to the currently deployed ATM payment switch software to create a malicious proxy switch.

Using this  Technique, When the attacker sends from the payment switch to perform an authorized traction were never forwarded to CBS so the checks on card number, card status (Cold, Warm, Hot), PIN, and more were never performed.

Mitigation Steps to Detect Banking environment Cyberattack 

  • Suspicious Transaction Activity – Targeted – Frontend and backend Transaction Discrepancy Analytic (This can be used to help detect malware activity utilized to compromise ATM switches e.g. where TR enters a payment switch but never leaves for authorization etc.)
  • Suspicious SWIFT Endpoint Activity – Rare SAA Process/MD5 Analytic
  • Suspicious SWIFT Activity – Amount – Unusual 103 For Source Analytic
  • Suspicious ATM Activity – Peak Sequential Non-EMV Transactions For ATM Source Analytic
  • Suspicious Network Activity – Amount – Unusual PCCR Changes Analytic (This can be used to help detect unusual changes in the behavior of the ATM switches from a network perspective.)
  • Suspicious ATM Activity – Peak EMV Fallbacks to Magstripe Analytic
  • Suspicious Network Activity – Rare Outbound Network Connection For Host Analytic (This can be used to help detect attack activity associated with the compromised ATM switch.)
  • Suspicious ATM Activity – Peak *On-Us Transaction Volume For PAN Analytic
  • Suspicious ATM Activity – Amount – Unusual Foreign Cash-out Volume Analytic
  • Suspicious Transaction Activity – Targeted – Cash Withdrawal Limit Elimination Analytic – Malicious threat actors manually changing cash withdrawal limits
  • Suspicious Process Activity – Rare Scheduled Task For Host Analytic (This is an example that can be used to detect one of the common techniques leveraged by Lazarus Group to which the attacks were attributed.)
  • Suspicious Process Activity – Targeted – Executable File Creation Analytic
  • Also, you can read Advanced ATM Penetration Testing Methods