Cyber frauds North Korea tool to skirt sanctions: Report

PUNE: A report of the United Nations Security Council (UNSC) panel said the online heist on the city-based Cosmos Bank’s switches was motivated from North Korea .This is the first report by any agency confirming the widely held suspicion that the attacks could have links to the Democratic Republic of Korea. The panel has submitted the report to the council for further action by the member states.TOI first reported, citing cyber experts, on August 15, 2018, that the North Korean hacker group, Lazarus, could be behind the Cosmos Bank attacks when there were near simultaneous withdrawals over two days and had cost the bank Rs 94.42 crore.“The Cosmos attack was a more advanced, well-planned and highly coordinated operation that bypassed three main layers of defence contained in International Criminal Police Organization (Interpol) banking/ATM attack mitigation guidance,” said the report.“Not only were the actors able to compromise the SWIFT network in the Cosmos case to transfer the funds to other accounts, but they simultaneously compromised internal bank processes to bypass transaction verification procedures and order worldwide transfers to almost 30 countries, where funds were physically withdrawn by individuals in more than 10,000 separate transactions over a weekend,” the report read.The observations are part of the wider report by the UN panel of experts established pursuant to resolutions to impose sanctions on North Korea for its nuclear programme.The panel observed that the country’s cyber hackers had resorted to multiple cyber frauds to mitigate the sanctions imposed on the nation.“Cyberattacks by the Democratic People’s Republic of Korea to illegally force the transfer of funds have become an important tool in the evasion of sanctions and have grown in sophistication and scale since 2016,” according to the report.Apart from attacks on fiat currencies of several countries, the report also mentions that the North Korean hackers were able to deal in cryptocurrency crimes and use the same to demand ransom, as was observed during the WannaCry ransomware attack.On August 11 and 13, 2018, a series of malware infections attacked the Cosmos Bank’s ATM switch (an interface to the bank’s core banking solution [CBS] or another core financial system, and connectivity to regional, national or international networks) and then made adjustments to target account balances to enable withdrawals.“It is absolutely possible that the attacks originated from North Korea and withdrawals happened elsewhere across 31 countries. It is a well-oiled syndicate,” said Milind Kale, chairman, Cosmos Bank.He said he had learnt from the cyber cell in Pune that the investigations were at advanced stages and that they were very close to getting to the mastermind.The cyber cell of the Pune police could arrest 12 persons — mostly money mules — so far from different cities in the country. The police also recovered a card cloning machine from Mumbai, allegedly used to clone the cards used in India. So far, it has recovered about Rs8 lakh from people who withdrew the money.Deputy commissioner of police (EOW), Sambhaji Kadam, said, “We shall take cognisance of the report once we access it from the appropriate authorities.”Another senior police officer said, “We have studied 40 cases across the globe having similar features as in the Cosmos Bank’s online heist.”The Pune police said they had received positive response from 18 of the 28 countries it wrote to regarding the Cosmos Bank heist. These countries have requested more information on the case.“The suspects in such cases keep rotating the money stolen from one account to another and at this moment of time, we cannot predict where the money has finally settled,” police said.Muslim Koser, co-founder, Volon Cyber Security said, “We have been monitoring Lazarus for some time with our focused research on the group. Last year, we had concluded that TTPs (modus operandi) used in Cosmos Bank attack was similar to that of the group’s previous targets such as ‘Bank of Bangladesh’ or ‘Tien Phong Bank’ from Vietnam. We had intercepted recruitment advertisement for SWIFT access to an Indian bank in darkweb from September 2017 till February 2018. India’s Citi Union Bank was affected in the similar fashion in February 2018, much before Cosmos Bank attack.”Read this story in Marathi