By Oleg Kolesnikov, Securonix Threat Research Team
Figure 1: Cosmos Bank in India US$13.5 Million SWIFT/ATM Cyber Attack of August 2018 
The Securonix Threat Research team recently learned of a new high-profile cyber attack targeting SWIFT/ATM infrastructure of Cosmos Bank (COSDINBB), a 112-year old cooperative bank in India and the second largest in the country, resulting in over US$13.5 million stolen [1,2].
Below is a summary of what we currently know about this high-profile attack and recommended Securonix predictive indicators and security analytics to increase your chances of detecting such attacks targeting financial services/SWIFT.
- Impact: US$13.5 million stolen from Cosmos Bank between August 10-13, 2018.
- Scope: Malware infection, ATM switch compromise, SWIFT environment compromise.
- Attack techniques: Multiple (see below).
- Initial infiltration: Unconfirmed. Based on the attribution, likely spear phishing and/or remote administration/third-party interface.
- Attribution: As of August 27, 2018: Currently attributed to a nation-state-sponsored malicious threat actor (Lazarus Group) by some sources [3,4]. Updated August 29, 2018: According to the latest report from the Maharashtra Special Investigation Team performing the investigation of the attack, they have not yet been able to link the attacks to the Lazarus or Cobalt hacking groups, noting that the Cosmos bank attackers “wiped out all tracks, leaving no evidence; it’s well-planned.” . The latter is consistent with the behavior of major hacking groups, including Lazarus group, that are known to use tools that wipe out all tracks and evidence. To illustrate, according to the TrendMicro report on Lazarus Group operations from earlier this year, Lazarus Group use wiper tools that remove Prefetch, event logs, MFT records and other evidence from the compromised systems .
Cosmos Bank Attacks – Securonix Technical Analysis
While many technical details of the attack are currently unknown, based on publicly available details, our technical analysis, and expertise, here are some of the key technical details describing the most likely progression of this high-profile ATM/SWIFT banking attack:
Cosmos Bank Cyberattack – ATM Modality – US$11.5 Million Stolen:
- Following an earlier patient-zero compromise and lateral movement, on August 10-11, 2018, the bank’s internal and ATM infrastructure was compromised. The exploit involved multiple targeted malware infections followed by standing up a malicious ATM/POS switch (malicious-Central or MC) in parallel with the existing Central and then breaking the connection between the Central and the backend/Core Banking System (CBS).
- After making adjustments to the target account balances to enable withdrawals, MC was then likely used in fake “*on-us,” foreign-to-EFT, standing-in, etc. activity that enabled the malicious threat actor to authorize ATM withdrawals for over US$11.5 million in 2849 domestic (Rupay) and 12,000 international (Visa) transactions using 450 cloned (non-EMV) debit cards in 28 countries.
- Using MC, attackers were likely able to send fake Transaction Reply (TRE) messages in response to Transaction Request (TRQ) messages from cardholders and terminals. As a result, the required ISO 8583 messages (an international standard for systems that exchange electronic transactions initiated by cardholders using payment cards) were never forwarded to the backend/CBS from the ATM/POS switching solution that was compromised, which enabled the malicious withdrawals and impacted the fraud detection capabilities on the banking backend.
Cosmos Bank Cyberattack – SWIFT Modality – US$2 Million Stolen
- On August 13, 2018, the malicious threat actor continued the attack against Cosmos Bank likely by moving laterally and using the Cosmos bank’s SWIFT SAA environment LSO/RSO compromise/authentication to send three malicious MT103 to ALM Trading Limited at Hang Seng Bank in Hong Kong amounting to around US$2 million.
Figure 2: Common Banking ATM Switch Architecture
The ATM/POS banking switch that was compromised in the Cosmos Bank attack is a component that typically provides hosted ATM/POS terminal support, an interface to core banking solution (CBS) or another core financial system, and connectivity to regional, national or international networks. The primary purpose of the system is to perform transaction processing and routing decisions (see Figure 2).
In case of the Cosmos Bank attack, this was not the typical basic card-not-present (CNP), jackpotting, or blackboxing fraud. The attack was a more advanced, well-planned, and highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance (see https://www.ncr.com/content/dam/ncrcom/content-type/brochures/EuroPol_Guidance-Recommendations-ATM-logical-attacks.pdf).
Based on our experience with real-world attacks involving ATM and SWIFT, following the initial compromise, attackers most likely either leveraged the vendor ATM test software or made changes to the currently deployed ATM payment switch software to create a malicious proxy switch.
As a result, the details sent from payment switch to authorize transaction were never forwarded to CBS so the checks on card number, card status (Cold, Warm, Hot), PIN, and more were never performed. Instead, the request was handled by the MC deployed by the attackers sending fake responses authorizing transactions.
In addition to the ATM and SWIFT monitoring, this attack likely involved a significant number of common cyber attack behaviors while the required malicious infrastructure needed to execute the attack was developed and stood up. As mentioned, this high-profile SWIFT/ATM banking attack is currently attributed to Lazarus Group/nation-state-sponsored actor/DPRK. Specifically some of the attack techniques commonly used by the threat actor include: use of Windows Admin Shares for Lateral Movement, using custom Command and Control (C2) that mimics TLS, adding new services on targets for Persistence, Windows Firewall changes, Timestomping, Reflective DLL Injection, and a number of other techniques (see https://attack.mitre.org/wiki/Group/G0032 for more details).
Based on the details above, this attack is a good example of the fact that, while ATM and SWIFT transaction monitoring is important, it often is not enough, and may only give you 10-20% of the required detection coverage. In order to detect modern threat actors targeting banks, in addition to automatically baselining transactions, it is critical to also have the ability to monitor and baseline the behavior of your users, your systems, and your networks to detect anomalies (often 70-80%+ of success), and then connect all of the dots properly to detect an attack in progress.
Detection – Securonix Behavior Analytics/Security Analytics
Based on the publicly available details available about the Cosmos Bank attacks, proper visibility into the environment (both from the endpoint and network perspective) as well as the ability to enrich and connect anomalies across different entities (users, frontend, backend, jump servers, third-parties, SWIFT, SAG, and more) was most likely key to be able to detect this attack.
Taking into account our expertise and the known techniques used by the threat actors attributed to the attack, particularly Lazarus Group, some high-level examples of the relevant Securonix behavior analytics/predictive indicators that could help detect such attacks in your banking environment include:
- Suspicious Transaction Activity – Targeted – Frontend and backend Transaction Discrepancy Analytic (This can be used to help detect malware activity utilized to compromise ATM switches e.g. where TR enters a payment switch but never leaves for authorization etc.)
- Suspicious SWIFT Endpoint Activity – Rare SAA Process/MD5 Analytic
- Suspicious SWIFT Activity – Amount – Unusual 103 For Source Analytic
- Suspicious ATM Activity – Peak Sequential Non-EMV Transactions For ATM Source Analytic
Figure 3: Example of Securonix Detecting Advanced Banking/SWIFT Cyber Attacks In Practice Using Security Analytics
- Suspicious Network Activity – Amount – Unusual PCCR Changes Analytic (This can be used to help detect unusual changes in the behavior of the ATM switches from a network perspective.)
- Suspicious ATM Activity – Peak EMV Fallbacks to Magstripe Analytic
- Suspicious Network Activity – Rare Outbound Network Connection For Host Analytic (This can be used to help detect attack activity associated with the compromised ATM switch.)
- Suspicious ATM Activity – Peak *On-Us Transaction Volume For PAN Analytic
- Suspicious ATM Activity – Amount – Unusual Foreign Cash-out Volume Analytic
- Suspicious Transaction Activity – Targeted – Cash Withdrawal Limit Elimination Analytic – Malicious threat actors manually changing cash withdrawal limits
- Suspicious Process Activity – Rare Scheduled Task For Host Analytic (This is an example that can be used to detect one of the common techniques leveraged by Lazarus Group to which the attacks were attributed.)
- Suspicious Process Activity – Targeted – Executable File Creation Analytic
A number of other Securonix behavioral analytics/predictive indicators that could help detect such attacks, include IFW-HOS1-RUN,EDR-SYM6-ERI, EDR-SYM5-ERI, WEL-PSH-BPI, PXY-IPB1-TPN, EDR-SYM15-ERI, EDR-SYM35-BAI, WEL-WOT1-RUN, EDR-SYM25-RUN, WEL-WSH1-ERI, WEL-TAN1-BAI, WEL-TAN2-BPI, EDR-SYM36-BPI, and EDR-SYM37-ERI et al.
An example of how some of these behavior analytics and predictive indicators might work in practice in Securonix in shown in Figure 3.
In conclusion, in order to increase the chances of detecting a similar targeted attack, it is key to use a complete Security Analytics and Operations Management (SAOM) platform providing end-to-end monitoring, detection and incident response, and recovery capabilities in your environment (see https://www.securonix.com/security-analytics-2-0-and-the-future/).
August 27, 2018, 1:00 PM PT – Added citations to support attribution.
August 29, 2018, 9:00 AM PT – Added additional attribution information.