Cyber Incident Victim: Andhra Pradesh Mahesh Co-Operative Urban Bank
Date:
Jan 2022
Location:
India
Summary
Attackers compromised Andhra Pradesh Mahesh Co-Operative Urban Bank by sending phishing emails containing a remote access trojan (RAT) to employees, exploiting the institution's lack of valid firewall licensing, intrusion detection/prevention systems, phishing protections, virtual LAN segmentation, and employee cybersecurity training. Once installed, the RAT enabled unauthorized access to interconnected systems, including core banking servers, where attackers altered balances in four accounts—fraudulently inflating values by millions of rupees—and transferred funds to 115 accounts across India. Stolen amounts exceeding $1 million were withdrawn from 938 ATMs nationwide, while authorities froze approximately $2 million in additional funds. Investigations revealed international involvement, with suspects from Nigeria and the UK using proxy IPs and VPN services to mask locations; multiple arrests included Nigerian nationals and domestic accomplices handling account operations and fund distribution, with illicit proceeds likely transferred overseas via Hawala or cryptocurrencies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The Andhra Pradesh Mahesh Co-Operative Urban Bank suffered a major cyber heist between November 2021 and January 2022, initiated through a phishing campaign targeting bank employees. Attackers sent over 200 phishing emails across three days in November 2021 (specifically November 4, 10, and 16), with at least one employee opening a malicious attachment that installed a Remote Access Trojan (RAT). This compromised endpoint provided attackers unrestricted access to the bank's network due to inadequate security controls. The bank lacked virtual LAN segmentation, enabling lateral movement from infected workstations to critical systems, including the core banking server. Attackers exploited weak administrative controls, including ten super-user accounts with identical passwords, to gain database access containing customer account information. Between November 2021 and January 2022, threat actors manipulated four specific accounts: Sanvika Enterprises (balance altered from ₹299 to ₹4,00,40,361), Shainaaz Begum (₹250,000 to ₹3,59,55,390), Hindustan Traders (₹4,940 to ₹4,83,25,985), and Sampath Kumar's Pharma House (₹3,000 to ₹499,999). Three additional account compromise attempts failed.
The attackers transferred ₹12.48 crores (approximately $1.6 million) from these manipulated accounts via 115 intermediary accounts across eight Indian states, subsequently distributing funds to 398 secondary accounts. Funds were physically withdrawn from 938 ATMs nationwide before Hyderabad Cyber Crime Police intervened on January 24, 2022. Law enforcement froze ₹2.08 crores during withdrawal attempts and recovered ₹1.08 crores due to incorrect beneficiary details. Forensic analysis revealed attackers used proxy IP addresses routed through the United States, Canada, and Romania, with VPN services provided by a Bihar-based company allocating UK-based IPs. International connections were identified through Nigerian nationals Ikpa Stephen Orji and an associate codenamed "Capital," who traveled to Hyderabad to coordinate fund transfers. Police arrested 19 individuals across multiple states, including Nigerian nationals and Indian account handlers. The bank's security failures included expired firewall licenses, absent phishing protection, no intrusion detection/prevention systems, inadequate staff training, and unrestricted internet access for all employees. Forensic evidence indicated final fund transfers occurred via Hawala networks or cryptocurrency to Nigeria, with primary attackers believed to be operating from the UK and Nigeria.