Delaware, USA – August 16, 2018 – Last weekend, unknown adversaries withdrew from Indian bank Cosmos 940 million rupees (more than $13 million) in three stages. The investigation of the incident continues, and the bank reports that the funds on the clients’ accounts were not affected. The first stage of the attack on Cosmos bank occurred on Saturday, August 11, when the adversaries transferred $11 million to 28 countries and withdrew them via ATMs using cloned cards. Two hours later, the attackers transferred another $400,000 and withdrew them at ATM locations across India. Security officers spotted suspicious withdraws and stopped this stages of the attack by turning off their servers and all internet banking applications. However, the attackers launched the third stage of the attack on Monday, August 13, and conducted three SWIFT transactions for an additional 2 million to an account at a Hong Kong bank.
It is impossible to determine now which threat actor is behind such a large-scale operation, so far the attack has been tracked to Canada, but the true culprits can be anyplace. India’s Economic Times reported that the Lazarus group is one of the suspects in this cybercrime, they are known for their interest in the financial sector and the successful theft of funds through the SWIFT inter-banking system. The Lazarus group has been carrying out large-scale attacks on financial organizations around the world since the beginning of the year, continually upgrading their tools and improving the techniques (1, 2, 3). Detection of their attacks in the early stages of the Cyber Kill Chain is possible with SIEM and the analytical package ATP Framework: https://my.socprime.com/en/integrations/apt-framework-arcsight