TILL DATE UPDATE ON CYBER ATTACK ON COSMOS BANK
By Sukriti Verma
Cosmos bank, one of the largest banks of Pune lost Rs.94 crore to hackers in August 2018. They managed to siphon of such an amount through a malware attack cloning thousands of bank’s debit cards within a period of two days.
The chairman Milind Kale of the cosmos bank reported that the hackers were Canada based and attacked on August 11 and August 13. To be of more detail the hackers withdrew a total of Rs 78 crore from various ATMs of 28 countries including Canada, Hong Kong, India but most of the amount by India. ₹2.50 crore was withdrawn through 2,800 debit card transactions in India at various locations. ₹13.9 crore was transferred through SWIFT (Society for Worldwide Interbank Financial Telecommunication) transactions. The bank came to know about the malware attack on its debit card payment system on August 11. It observed that unusual repeated transactions were taking place through ATM VISA and RuPay cards for nearly two hours.
This was followed by another attack in which hackers again transferred Rs 13.92 crore in a Hong Kong-based bank by using fraudulent transactions. Malware attack was on the switch, which is operative for payment gateways of Visa and Rupay debit cards. However the cooperative bank’s core banking system was not affected and it has already appointed a professional forensic agency to investigate the fraud. While cloning the cards and using a “parallel” or proxy switch system, the hackers self-approved the transactions and withdrew over Rs 80.5 crore in about 15,000 transactions. The core banking system of the bank receives debit card payment requests via ‘switching system’, but during this malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by this proxy switching system. As per the payment settlement system, Visa and Rupay raised the payment demand for all these transactions and as per the agreement; bank had to pay this Rs 80.5 crore amount to them.
As a precautionary measure, the bank closed ATMs operations and suspended net and mobile banking facilities for that period of time. And appealed customers to remain calm and not to get panic as savings, term deposits, and recurring accounts of all the stakeholders are fully safe. As far as the recovery of the amount is concerned the malware attack was not against any bank but against the banking system and was done at international level in a very “coordinated way”.
The bank registered an FIR at the Chatushringi police station in the city. A case was registered under sections 43, 65, 66(C) and 66 (D) of the Information Technology Act and relevant sections of the Indian Penal Code.
After 7 months of conducting further investigation it was found by the UN that the attack was motivated by the North Korea. According to the report by the UN “The panel notes a trend in the Democratic People’s Republic of Korea’s evasion of financial sanctions of using cyber attacks to illegally force the transfer of funds from financial institutions and crypto currency exchanges. The attack was a more advanced… and highly coordinated operation that bypassed three main layers of defense contained in International Criminal Police Organization (INTERPOL) banking/ ATM attack mitigation guidance. Not only were the actors able to compromise the SWIFT network…to transfer the funds to other accounts, but they simultaneously compromised internal bank processes to bypass transaction verification procedures and order worldwide transfers to almost 30 countries where funds were physically withdrawn by individuals in more than 10,000 separate transactions over a weekend.’’
As far as the investigation conducted on local ground by the Pune police is concerned, the Pune Police and the Maharashtra Cyber Cell probing the case so far, 12 people have been arrested by a special investigation team of the Pune Police. Sources said the local module busted by the police could be “money mules” — people who serve as intermediaries for criminals and criminal organizations — acting on behalf of operators abroad. Both the Maharashtra Police and cyber experts had expressed their apprehension of the involvement of Lazarus Group, a hacker group comprising unknown people linked to North Korea.
After 12 months from the attack the Special Investigation Team (SIT) constituted by the State Government to probe into the August 2018 multi-crore Cosmos Cooperative Bank malware attack case has been unable to report any major breakthrough in the case with regards to the masterminds of the crime, 15 months after the attack.
The five accused in the chargesheet, running into 400 pages, have been identified as Feroz Yasin Shaikh (37) of Mumbai, Salman Naeem Baig (31), Shahbaz Arif Khatri (30), Asif Jamil Shaikh (31) and Shahbaz Farooq Shaikh (29), all from Thane. Accused of being ‘ money mules’ they are under judicial custody and lodged in Yerawada Central Prison.
They have been accused of allededly withdrawing money to the tune of Rs 61 lakh from different ATMs in Jaipur and Indore. All five are currently under judicial custody and lodged in Yerwada Central Prison. Police said the five accused are “money mules” who had allegedly withdrawn money to the tune of Rs 61 lakh from different ATMs in Jaipur and Indore. The SIT has arrested 18 accused in connection with the case so far and on the lookout for the mastermind who has been evading the investigating agencies for a long time.
On 18 February 2020 Cosmos bank recovered ₹5.73 crore from Hong Kong-based Hang Seng Bank on Monday according to Pune police. Pune police officials told media that they were expecting to recover ₹10 crore from the Hong Kong Bank. Hackers had transferred ₹13.92 crore in this bank account and further, they siphoned off ₹3 crore from the account before police intervened requesting a Hong Kong court to freeze it. The police had also asked Cosmos Bank officials to file a civil suit against the Hang Seng Bank. Pune Police along with their counterparts in Hong Kong followed up on the matter and court hearings have started.