India’s Cosmos Bank Suffers Unlimited ATM Attack

On August 10th, many American Financial Institutions received a warning from the FBI that the Bureau had found evidence that criminals were plotting an “Unlimited Operation.”  We’ve written about these Unlimited Attacks a number of times in the past in this blog, but this is the first time that we know of where the FBI announced the attack before hand.  In these attacks, hackers compromise the internal systems of a bank and gain control of systems that allow them to bypass or reset ATM withdrawal limits.  Then, the magnetic stripe information for a selected number of cards is shared with trusted cash-out gangs around the world, who make physical ATM cards with the stripe information encoded and stand by for the pre-arranged attack to begin.  Once zero-hour arrives, hundreds of cash-out gang members begin draining every ATM machine they can find.  Literally emptying the machines, with the balance available for withdrawal being magically reset in real time by the hackers inside the systems of the targeted bank.

The most famous Unlimited Attack was also one of the earliest, when $9 Million in cash was withdrawn from at least 2100 ATM machines in 280 cities around the world on November 7th and 8th, 2008 in the RBS WorldPay attack.  That was far surpassed in 2013, when cash-out gangs in 26 Countries stole $40M.  More recently, Standard Bank was victimized in the first Japanese Unlimited Attack in 2016, involving at least 14,000 “maximum” ATM withdrawals.

In this case, the FBI’s prediction came true almost immediately, even before our favorite security journalist, Brian Krebs, was able to get his story out: FBI Warns of Unlimited ATM Cashout Blitz.

The Times of India reported on August 14th “How hackers siphoned over Rs 94 crore off a co-operative bank in Pune“, revealing that the 112 year old Cosmos Bank was the target of the attack.  During this attack hackers were able to cause the ATM Network to approve “Rupay” transactions by validating the requests against a fake payment gateway controlled by the hackers.  In 2.5 hours, from 3 pm to 5:30 pm, 12,000 Visa card transactions withdrew Rs 78 crore (approximately $10.9 Million USD) before Cosmos Bank terminated all ATM Visa Transactions, however Rupay transactions continued until at least 10PM.  RuPay is an India-only card system designed to allow national payments in India without reliance on Visa and Mastercard.  2,890 India-based RuPay transactions totaled an additional Rs 2.5 crore ($351,500 USD).  In addition to the ATM damages, on August 13th, the same hackers wired Rs 13.94 crore (almost $2M  USD) to Hong Kong via a fraudulent SWIFT transfer.  (Three separate MT103 transactions were sent to ALM Trading Limited at Hang Seng Bank in Hong Kong, according to Securonix analysis of the event.  Securonix believes the behavior of the attackers is consistent with the North Korean based APT group known as “Lazarus Group”.  MITRE’s ATT&CK program (Adversarial Tactics, Techniques & Common Knowledge) provides more information on the Lazarus Group.

As with many previous Unlimited attacks, Cosmos Bank chairman Milind Kale said that no customer accounts were impacted, as these were “dummy” accounts that were established for the attack.  If this attack is like historical ones, many of the follow-up arrests will come from using ATM video footage to identify individual cash-out gangs and try to follow their communications back to the criminals who recruited them for the scheme.