Is Lazarus Group Behind Cosmos Bank ATM Heist

Media blames Lazarus for the Cosmos Bank ATM Heist. Let us understand what is Lazarus


Pune based co-operative bank was in news because of the ATM heist it witnessed in the second week of August. Hackers targeted 112-year-old Pune headquartered co-operative sector bank, Cosmos Bank, to transfer over INR. 94 crore ($13.6 Milion) to foreign bank accounts. Out of the $13.6 Million about 80% of the amount ($11 Million) was  withdrawn on 11th August’2018 alone. More than 12,000 ATM transactions were recorded in 28 countries between 3 pm and 10 pm on 11/08/2018.

On 13th August’2018 INR 13.5 crore was transferred to a Hong Kong-based entity using the Society for Worldwide Interbank Telecommunications (SWIFT) facility. Read: Analysing Cosmos Bank SWIFT Attack from forensic Angle

According to the reports in one of the Indian News Papers, which quotes some cyber experts, this could be the handiwork of Lazarus, North Korea’s most prolific hacking group that has pulled off some audacious attacks around the globe.

Lets us try to understand what is Lazarus and How it operates ? This article is an attempt to create awareness about the methodology followed by the Lazarus Group in banking attacks worldwide.

What is Lazarus ?

This group is considered to be one of the most prolific hackers group in the world. This group orchestrated the attack on Sony Pictures in 2014, when US openly blamed North Korea for this attack. Wannacry attack of 2017 was also perpetrated by them. Lazarus and its offshoots have been blamed for different attacks on the financial institutions. Bluenoroff is their subgroup which is focused on attacking foreign financial institutions. They are responsible for a wide array of financial theft incidents.

Lazarus Attack on Banks

Some of the most prominent attacks conducted by the Lazarus in the recent past are

  • February’2016 – February 2016 heist, in which hackers breached Bangladesh Bank’s systems and used the SWIFT messaging network to order the transfer of nearly $1 billion from its account but was successful in transferring $80 Million to Phillipines Bank.
  • February’2017 – Website of the Polish Financial Regulator was used for conducting the watering hole attack perpetrated by Lazarus.
  • October’2017 – Far Eastern International Bank ATM Heist where the Taiwan based bank lost more than $60 Million due to attack on SWIFT.
  • May’2018 – There was an attempted $110 Million attack on SPEI of Mexico’s Trade Bank detected but swept under the carpet.
  • June’2018 -Banco de Chile, the largest bank of Chile where attackers had stolen $10 million before the bank disabled 9,000 workstations due to alleged attack on SWIFT
Why North Korea is becoming Aggressive ?

Sanctions increase the money laundering related to trade. North Korea is becoming increasingly starved of hard currency as the United Nations imposes sanctions amid a standoff with the U.S. over Kim Jong Un’s nuclear weapons program. In order to fund the ambitious programs, the country needs internationally acceptable currency. Dollars and Bitcoins are the two they have identified. Bluenoroff is the subgroup focussed on the banking attacks and other sub-group Andariel is focussed on the South Korean Bitcoin exchanges. Many security firms have made an attempt to link the Lazarus as state funded activity, though there are no evidences.

Modus Operandi of Lazarus

  • Lazarus/Bluenoroff group finds a vulnerability in one of servers in the targeted organization
  • Or they would infect a website which employees of a targeted organization often visit
  • They would infect the IT infrastructure of the target with malware and would identify where a server running SWIFT software is installed
  • They would download additional malware to interact with SWIFT software and would try to drain the organization’s accounts

SWIFT System is Compromised

In all the attacks mentioned above Lazarus group have targeted the SWIFT. Most international transfers are executed through SWIFT, a co-operative society, founded in 1974 by seven international banks, which operate a global network to facilitate the transfer of financial messages. The SWIFT System would be focus of a negative news in India for the second time in recent past. It became known to the common Indian when Nirav Modi used the SWIFT system for his benefit and duped the Punjab National Bank for billions of Rupees. Using these messages, banks can exchange data for funds transfer between financial institutions.

SWIFT system is always seen to be the focus of the Lazarus group activities, hence there is strong likelihood that the attack on the Cosmos Bank which is claimed to have been the attack on the SWIFT network could have been perpetrated by the Lazarus.

Last word about Cosmos Bank

Logically, forensic investigation would be the next step for Cosmos Bank, whether for damage control or to settle the Cyber Insurance Claim. However, the banking industry throughout the country is shattered due to this incidence and should follow few cautions in the new age criminal world. Here is a advise of caution

  1. If your organization has software tools for conducting money transactions, SWIFT, invest into additional protection (Recommended is the Seqrite solution offered by Quickheal Technologies Limited) and regular security assessment in addition to standard protection measures implemented on all other parts of the organization’s network
  2. When deploying specialized software for money processing follow recommendations and best security practices from your software vendor and security professionals.
  3. In case of suspicion of intrusion, request for professional assistance with incident response. Again the experts like the Quickheal are recommended.
CA Mayur Joshi
CA Mayur Joshi is a Forensic Accounting evangelist in India. He is the co-founder of Indiaforensic and is author of 7 books on forensic accounting, fraud investigations and money laundering.