A panel of experts appointed by the UN Security Council has stated that the cyber attacks on Pune-based Cosmos Cooperative Bank, from which hackers allegedly withdrew Rs 94 crore from ATMs in 28 countries, was “motivated” by North Korea. The panel was set up to study various UN sanctions breached by North Korea. Its report comes nearly seven months after the malware attack on the bank. “The panel notes a trend in the Democratic People’s Republic of Korea’s evasion of financial sanctions of using cyber attacks to illegally force the transfer of funds from financial institutions and cryptocurrency exchanges”, the report said.
The Pune Police and the Maharashtra Cyber Cell probing the case are yet to trace the mastermind in the case. So far, 12 people have been arrested by a special investigation team of the Pune Police. Sources said the local module busted by the police could be “money mules” — people who serve as intermediaries for criminals and criminal organisations — acting on behalf of operators abroad.
“The case involves Rs 14 crore that was transferred to a Hong Kong bank by compromising the SWIFT system (of the bank) and the remaining Rs 80 crore that was withdrawn using ATMs in which malware attack was on the switch through which the payment gateways of Visa and Rupay debit cards operate,” said a senior official from the Maharashtra Police, who spoke on the condition of anonymity. “Those arrested are people who operated the ATMs and include an Indian coordinator. We are now trying to probe the malware attack, how the IPs were hacked into … We have managed to trace the trail and received correspondence from a few countries. We are trying to trace the original server and until that is done we cannot say that this attack was carried by a certain group or a country,” he added.
The UNSC report would aid in the probe but most of the information it has quoted is through open sources, he added. In the past, both the Maharashtra Police and cyber experts had expressed their apprehension of the involvement of Lazarus Group, a hacker group comprising unknown people linked to North Korea.
In its 378-page report published earlier this month, the committee elaborated on how the Cosmos Bank systems were hacked into. “The attack was a more advanced... and highly coordinated operation that bypassed three main layers of defence contained in International Criminal Police Organization (INTERPOL) banking/ ATM attack mitigation guidance,”. “Not only were the actors able to compromise the SWIFT network...to transfer the funds to other accounts, but they simultaneously compromised internal bank processes to bypass transaction verification procedures and order worldwide transfers to almost 30 countries where funds were physically withdrawn by individuals in more than 10,000 separate transactions over a weekend,” it added.