Cosmos Bank hit by Rs 940 mn cyber hack; probe finds Hong Kong as source

The unidentified hackers had executed money transfers on two separate occasions -August 11 and August 13- which raises the question of why pro-active measures were not taken on the first night itself

Cybercriminals have stolen Rs 940 million from Cosmos Bank, after attacking the server at its headquarters in Pune on August 11 and 13. According to the FIR filed by the bank’s management at the Chatushrungi police station at 1 am on Tuesday, the hackers exploited malware vulnerability in its automated teller machine (ATM) switch system.

A senior officer of Pune cyber police said the money trail had taken them initially to an account of ALM Trading at Hang Seng Bank in Hong Kong. Preliminary investigations revealed that the money had been withdrawn from ATMs in 28 countries.

Cosmos is one of the oldest cooperative banks in the country, established in 1906.

The investigation being conducted by the cyber cell of Pune police will get technical support from the Maharashtra Computer Emergency Response Team, which is also conducting a parallel probe.

According to sources, hackers transferred Rs 805 million from bank accounts at Cosmos Bank to a foreign bank in 14,849 separate transactions through debit cards. Then, they conducted another attack to steal Rs 139 million through the SWIFT network.

The bank’s VISA and RuPay debit card systems, supported by the National Payments Corporation of India, were also compromised. The personal and financial information of about 500 customers was stolen. Police officers said this number could rise. The bank has shut down its internet banking operations and website.

The police officer said, “Based on the transactions, the origin of the attack is Hong Kong. We are studying the malware to see where else it could have been introduced and which institution might be attacked next.”

Experts said banks needed to be better prepared to deal with such malware campaigns. “Malwares used in cyberattacks now are fairly advanced and have the ability to suppress alerts. Banks need to have end-to-end cyber security to prevent such attacks,” said Siddharth Vishwanath, partner and cybersecurity advisory leader at PwC India.

He added that larger banks had a more elaborate cybersecurity, but smaller, cooperative banks did not.

The Reserve Bank of India (RBI) has instituted a clear cybersecurity framework for financial institutions. A quick look shows this is addressed only to scheduled commercial banks (and rural banks), non-banking financial companies, small finance banks and payments banks. There is no specific cyber-security guideline for cooperative banks.

For instance, the guidelines call for all commercial banks to have a board-approved cyber-security policy. A chief information security officer should be appointed to the board and a clear cyber crisis management plan should be put in place, in addition to information and data security.

Experts, both in the private sector and in the police, said it would usually take between one to three weeks to conduct a thorough analysis of the attack to understand how it was done. However, even after identifying the source and origin of the attack, the legal proceedings were extremely difficult, time-consuming, and involved other jurisdictions.

In March 2017, Quick Heal Technologies notified bank management of the vulnerability on its website. In its report, Quick Heal said banks must update their “Windows Operating Systems with the latest security patches and use security solutions.”

Most cyberattacks or hacks take place because of the lax attitude from institutions when it comes to ensuring their computer networks are secured and are updated with the latest operating systems and security protocols.

PwC’s Vishwanath said while an information technology or security audit was required across the cooperative banking industry that was only a step in addressing the larger problem of a fundamental under-investment in cybersecurity solutions.