Monday, February 10, 2025
HomeComputer SecurityFamous Indian Bank SWIFT/ATM System Hacked - Hackers Stolen US$13.5 Million -...

Famous Indian Bank SWIFT/ATM System Hacked – Hackers Stolen US$13.5 Million – A High Profile Cyber Attack

Published on

SIEM as a Service

Follow Us on Google News

North Korean APT hackers group Lazarus attempting high profile SWIFT/ATM Attack on Cosmos Bank in India and stolen over US$13.5( INR 78 Crore) million.

Cosmos Bank is one of the second largest banks in India, it’s a 112-year-old cooperative bank and the bank is headquartered in Pune India.

Cyber Criminals targeted the bank’s ATM switch server SWIFT system via Malware infection and stole details of VISA and Rupay ATM cards on August 11 and 13.

In this case, Attackers have withdrawn Money “physically” from 28 countries including the UK, USA, Russia and the UAE using cloned ATM cards.

This is one of the well-planned and more advanced cyber Attack with a highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance.

According to Jyotipriya Singh, Cybercrime DCP, The hackers must have done some kind of “recce” (study) of the bank’s system, “We suspect that the bank must have received some sort of alerts before the attack and we are waiting for the security audit report from the bank,”

How Did Hackers Compromise the ATM/SWIFT System

Attackers Intially using multiple targeted malware to breaking the connection between the Central and the backend/Core Banking System along with malicious ATM/POS switch in order to compromise an ATM Modality.

Once hackers take over the existing Central using Malicious Central, they make changes to the target account balances and enable the withdrawals such as foreign-to-EFT, standing-in, etc.

After these changes in ATM Modality, threat actor authorize to access the ATM and withdrawals for over US$11.5 million in 2849 domestic (Rupay) and 12,000 international (Visa) transactions using 450 cloned (non-EMV) debit cards in 28 countries.

Apart from this, attackers able to send fake Transaction Reply (TRE) using malicious-Central (malicious ATM/POS switch) and also it enables the malicious withdrawals and impacted the fraud detection capabilities on the banking backend.

Attack Continuity to SWIFT Modality

Later attacker moving into Cosmos Bank SWIFT and compromise it by sending three malicious MT103 to ALM Trading Limited at Hang Seng Bank.

Unlike other SWIFT and ATM attacks such as card-not-present (CNP), jackpotting, or blackboxing fraud, it is one of the most advanced attacks.

According to securonix, Based on our experience with real-world attacks involving ATM and SWIFT, following the initial compromise, attackers most likely either leveraged the vendor ATM test software or made changes to the currently deployed ATM payment switch software to create a malicious proxy switch.

Using this  Technique, When the attacker sends from the payment switch to perform an authorized traction were never forwarded to CBS so the checks on card number, card status (Cold, Warm, Hot), PIN, and more were never performed.

Mitigation Steps to Detect Banking environment Cyberattack 

  • Suspicious Transaction Activity – Targeted – Frontend and backend Transaction Discrepancy Analytic (This can be used to help detect malware activity utilized to compromise ATM switches e.g. where TR enters a payment switch but never leaves for authorization etc.)
  • Suspicious SWIFT Endpoint Activity – Rare SAA Process/MD5 Analytic
  • Suspicious SWIFT Activity – Amount – Unusual 103 For Source Analytic
  • Suspicious ATM Activity – Peak Sequential Non-EMV Transactions For ATM Source Analytic
  • Suspicious Network Activity – Amount – Unusual PCCR Changes Analytic (This can be used to help detect unusual changes in the behavior of the ATM switches from a network perspective.)
  • Suspicious ATM Activity – Peak EMV Fallbacks to Magstripe Analytic
  • Suspicious Network Activity – Rare Outbound Network Connection For Host Analytic (This can be used to help detect attack activity associated with the compromised ATM switch.)
  • Suspicious ATM Activity – Peak *On-Us Transaction Volume For PAN Analytic
  • Suspicious ATM Activity – Amount – Unusual Foreign Cash-out Volume Analytic
  • Suspicious Transaction Activity – Targeted – Cash Withdrawal Limit Elimination Analytic – Malicious threat actors manually changing cash withdrawal limits
  • Suspicious Process Activity – Rare Scheduled Task For Host Analytic (This is an example that can be used to detect one of the common techniques leveraged by Lazarus Group to which the attacks were attributed.)
  • Suspicious Process Activity – Targeted – Executable File Creation Analytic
  • Also, you can read Advanced ATM Penetration Testing Methods
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...

Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years,...

Ransomware Payments Plunge 35% as More Victims Refuse to Pay

In a significant shift within the ransomware landscape, global ransom payments plummeted by 35%...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

Quishing via QR Codes Emerging as a Top Attack Vector Used by Hackers

QR codes, once a symbol of convenience and security in digital interactions, have become...

New ‘BYOTB’ Attack Exploits Trusted Binaries to Evade Detection, Researchers Reveal

A recent cybersecurity presentation at BSides London 2024 has unveiled a sophisticated attack technique...