Cyber Incident Victim: Cosmos Bank
Date:
Aug 2018
Location:
India
Summary
Cyber criminals compromised a cooperative bank in India, siphoning approximately $13.5 million through coordinated ATM withdrawals across 28 countries and unauthorized SWIFT transfers to a Hong Kong-based entity. The attackers deployed malware to bypass the institution's primary transaction processing system, creating a fraudulent proxy switch that approved over 14,000 overseas ATM transactions within hours while simultaneously initiating three illicit international wire transfers. The breach exposed vulnerabilities in the bank's switching infrastructure, though investigators have not publicly identified the perpetrators or their intrusion methodology. This incident followed similar SWIFT network exploits targeting other financial institutions in the region.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 11, 2018, Cosmos Bank, a cooperative bank based in Pune, India, suffered a cyberattack resulting in the theft of approximately 944 million rupees ($13.5 million). The attack involved two coordinated components targeting the bank’s payment systems. First, unidentified hackers deployed malware to compromise the bank’s automated teller machine (ATM) server, enabling fraudulent cash withdrawals across 28 countries. Within a span of just over two hours, attackers executed 14,849 unauthorized ATM transactions, siphoning 805 million rupees primarily from overseas locations. The bank’s switching system, which normally processes debit card payment requests, was bypassed during the attack through the creation of a malicious proxy switch. This rogue system facilitated the approval of all fraudulent transactions without triggering alerts from the primary banking software.
Simultaneously, attackers exploited the SWIFT global payments network to initiate three unauthorized transfers totaling 139 million rupees to an account held by a Hong Kong-based entity. Cosmos Bank disclosed these details in a police complaint filed after detecting the breach, though it withheld specific country names involved in the ATM withdrawals due to security concerns. Police launched an investigation, collaborating with cybersecurity experts to determine how attackers orchestrated globally synchronized transactions appearing as legitimate approvals. The incident drew parallels to prior SWIFT-related breaches, including a February 2018 attack on India’s City Union Bank involving $2 million in fraudulent remittances and the 2016 Bangladesh Bank heist that resulted in $81 million stolen from the Federal Reserve Bank of New York. Cosmos Bank’s public statement emphasized the technical bypass of its switching infrastructure but did not disclose remediation steps or customer impact specifics beyond the financial losses. The breach underscored broader concerns about institutional cybersecurity preparedness, as noted by industry observers citing delayed investments in defense mechanisms until after incidents occur.