Cyber Incident Victim: ATMs in India
Date:
May 2017
Location:
India
Summary
Cybercriminals exploited ATMs running outdated Windows XP systems using malware called Rufus, physically accessing machines to insert infected USB drives that forced cash dispensers to release funds without requiring bank cards or triggering server alerts. The attacks targeted multiple regions, resulting in substantial financial losses as machines were remotely manipulated to dispense cash using generated codes converted into passwords. Banks initiated forensic audits following the incidents, while security agencies highlighted lapses in physical and virtual protections at off-site ATMs. Authorities urged software upgrades and enhanced security measures, though ATM manufacturers disputed widespread vulnerabilities. The RBI collaborated with payment authorities to address security gaps amid police reports emphasizing the need for updated systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2017, multiple Indian states experienced coordinated ATM thefts exploiting outdated operating systems. Criminals targeted ATMs running Microsoft Windows XP, which lacked robust security protocols. The attacks began in Odisha, where Rs 17 lakh was stolen from a single machine, eventually accumulating to Rs 40 lakh across the state. Similar incidents were reported in West Bengal, Bihar, and Gujarat. Perpetrators accessed unguarded ATMs at night using physical keys to open the upper computer compartments. They inserted USB drives infected with Rufus malware into the machines' USB ports, transferring malicious files that disconnected ATMs from bank servers during reboot sequences. The malware generated codes that gang members converted into passwords, triggering immediate cash dispensing without transaction records. This method avoided triggering alarms and delayed bank detection since criminals bypassed central monitoring systems.
Authorities responded with multi-level investigations and alerts. Police cybercrime units in Bihar and West Bengal confirmed the malware-based modus operandi, while Odisha's Cuttack DCP publicly identified Windows XP vulnerabilities as the attack vector. State police departments formally notified the Reserve Bank of India (RBI) about ATM security weaknesses, urging mandatory OS upgrades. The RBI collaborated with the National Payments Corporation to develop enhanced security guidelines for banks. Financial institutions initiated forensic audits but avoided confirming whether software flaws caused the breaches. ATM manufacturers acknowledged isolated incidents while denying systemic security failures. Security experts highlighted non-compliance among off-site ATM vendors who neglected physical and digital safeguards, exacerbating the thefts' success. The incidents occurred shortly after the global WannaCry ransomware attack, during which the RBI had already advised ATM operators to update systems, underscoring persistent vulnerabilities in India's financial infrastructure.