Cosmos Bank SWIFT/ATM US$13.5 Million Cyber Attack Detection Using Security Analytics
Contents
By Oleg Kolesnikov, Securonix Threat Research Team
Figure 1: Cosmos Bank in India US$13.5 Million SWIFT/ATM Cyber Attack of August 2018 [1]
Introduction
The Securonix Threat Research team recently learned of a new high-profile cyber attack targeting SWIFT/ATM infrastructure of Cosmos Bank (COSDINBB), a 112-year old cooperative bank in India and the second largest in the country, resulting in over US$13.5 million stolen [1,2].
Below is a summary of what we currently know about this high-profile attack and recommended Securonix predictive indicators and security analytics to increase your chances of detecting such attacks targeting financial services/SWIFT.
Summary
- Impact: US$13.5 million stolen from Cosmos Bank between August 10-13, 2018.
- Scope: Malware infection, ATM switch compromise, SWIFT environment compromise.
- Attack techniques: Multiple (see below).
- Initial infiltration: Unconfirmed. Based on the attribution, likely spear phishing and/or remote administration/third-party interface.
- Attribution: As of August 27, 2018: Currently attributed to a nation-state-sponsored malicious threat actor (Lazarus Group) by some sources …
Figure 1: Cosmos Bank in India US$13.5 Million SWIFT/ATM Cyber Attack of August 2018 [1]
Introduction
The Securonix Threat Research team recently learned of a new high-profile cyber attack targeting SWIFT/ATM infrastructure of Cosmos Bank (COSDINBB), a 112-year old cooperative bank in India and the second largest in the country, resulting in over US$13.5 million stolen [1,2].
Below is a summary of what we currently know about this high-profile attack and recommended Securonix predictive indicators and security analytics to increase your chances of detecting such attacks targeting financial services/SWIFT.
Summary
- Impact: US$13.5 million stolen from Cosmos Bank between August 10-13, 2018.
- Scope: Malware infection, ATM switch compromise, SWIFT environment compromise.
- Attack techniques: Multiple (see below).
- Initial infiltration: Unconfirmed. Based on the attribution, likely spear phishing and/or remote administration/third-party interface.
- Attribution: As of August 27, 2018: Currently attributed to a nation-state-sponsored malicious threat actor (Lazarus Group) by some sources …
IoC
10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba
3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c
4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756
75.99.63.27
820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6
a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc
ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629
ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c
d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee
f3e521996c85c0cdb2bfb3a0fd91eb03e25ba6feef2ba3a1da844f1b17278dd2
3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c
4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756
75.99.63.27
820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6
a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc
ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629
ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c
d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee
f3e521996c85c0cdb2bfb3a0fd91eb03e25ba6feef2ba3a1da844f1b17278dd2