ATM hackers steal $13.5m in 28 countries from India's Cosmos Bank - just days after FBI warning

India's Cosmos Bank targeted in sophisticated attack by North Korea's Lazarus Group, according to reports

Cyber criminals linked to North Korea's Lazarus Group have stolen $13.5 million from an Indian Bank via ATMs in 28 countries. The attack has been revealed just days after the FBI warned of an impending ‘cash out' attack targeting a single compromised bank.

According to reports, India's Cosmos Cooperative Bank was targeted in an attack that was able to evade the security of the systems that authorise its ATM transactions.

ATMs and cloned cards were then used by associates of the criminal gang around the world to ‘monetise' their attack. The Bank's SWIFT international payments systems were, it seems, also compromised in the attack.

The transactions - around 12,000 in total - were carried out over last weekend, between 11 August and 13 August, Cosmos Bank chairman Milind Kale has admitted.

"In two days, hackers withdrew a total 780 million rupees ($11.1m) from various ATMs in 28 countries, including Canada, Hong Kong and a few ATMs in India, and another 25 million rupees ($356,000) were taken out within India," he said.

On Monday 13 August, the attackers also transferred 139.2 million rupees ($2m) to a Hong Kong-based bank by using the Bank's compromised SWIFT international payments system, according to the Economic Times of India.

In total, some $13.5 million was stolen from the Bank, although given the extent of the compromise that figure could rise.

The Economic Times suggests that "the fraud involved breaching the firewall in servers that authorise ATM transactions. After this, a proxy server was created and transactions authorised by the fake or proxy server.

"This meant that the ATMs were being directed to release money without checking whether the cards were genuine or whether there was a bank account."

This account accords with the warning given by the FBI on Friday, as first reported by independent security journalist Brian Krebs.

"The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores," the FBI warned.

"At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards."

The Bank's chairman, meanwhile, rushed to reassure customers that their bank accounts were safe. "Our security systems have not been compromised," said Kale, adding that the Bank's systems had been inspected by the Reserve Bank of India (RBI), India's central bank, in July and found to be perfectly secure.

He continued: "The bank turned off its servers and all internet banking applications after noticing several erratic and abnormally high transactions.

"These transactions happened over two hours and 13 minutes and were spread across 28 countries where cloned cards were used to debit several amounts ranging from $100 (6,900 rupees) to $2,500 (1.7 lakh rupees)."

It was, though, the RBI that alerted Cosmos Bank about the anomalous activity.

Lazarus Group has been blamed for a string of attacks on banks' SWIFT payments systems across the world, most notoriously when it tried to transfer $951 million from Bangladesh Bank, the central bank of Bangladesh. That was only stopped when an elementary spelling error was spotted by a clerk in a correspondent bank handling one of the transactions.