How an anticipated ATM hack netted $13 million from India’s Cosmos bank

After warnings of an impending major ATM cash-out had bank security teams working overtime last weekend, crooks made off with over $13 million over the weekend in a double attack on India’s venerable Cosmos bank.

The bulk of the stolen money was taken in cash from ATMs around the world, with almost 15,000 separate withdrawals carried out in the space of seven hours on Saturday. Of those, 2,849 transactions were made within India, with the other 12,000 spread across 28 countries around the world.

The cashing-out was facilitated by an attack on the bank’s network gateway, enabling the crooks to redirect approval requests to a proxy server under their control. This sent spoofed approvals allowing the withdrawals to go ahead, netting over 800 million rupees (around $11.4 million).

Meanwhile, a second branch of the attack set up a SWIFT transfer from the bank to an account in Hong Kong, hosted by the Hang Seng Bank according to the Hindustan Times. This took place on Monday, adding another 140 million rupees (just under $2 million) to the haul.

The identities of those behind the attacks remains unclear, although The Economic Times of India speculates that North Korean hacking group Lazarus may have been involved. The same group is thought to have been behind major digital heists at the Bangladesh Bank back in 2016; those attacks also leveraged the SWIFT system to spirit away the stolen funds.

Other sources quote the bank’s chairman Milind Kale as suggesting a Canadian connection, possibly due to a large proportion of the cashing-out taking place there.

It seems likely that authorities have at least some information on the ATM component of the operation though, as the FBI apparently issued a worldwide alert warning banks that a major spree was being planned. Details of the alert were leaked by security reporter Brian Krebs on Sunday, right in the middle of the Cosmos attacks.

Whether much could be done on such short notice remains to be seen; the FBI’s advice centers around standard security practices such as requiring two-factor authentication for high-privilege admins, running strong malware protections, and closely monitoring networks for intrusions.

The agency also recommend imposing extra authentication requirements and limits on high-value transactions, but with the crooks effectively bypassing the bank’s approval systems — much as they did in the National Bank of Blacksburg heists last year — such measures may well be of little help.

Cosmos bank, founded in 1906 and calling itself “the leading co-operative bank in India,” provided no information on the incident on its main public website at the time of writing, although somewhat ironically its homepage does reference a recent award for Banking Technology Excellence.

A bank spokesperson said during a press conference in India that the bank’s security systems were not compromised, despite indications to the contrary, and also insisted that no customer accounts would be affected, according to the Times of India. The bank’s online services were disabled after the attack, and remained out of action almost a week later.