Cyber attackers tried to steal $2 million from City Union Bank

By Kim Crawley
Cybersecurity Journalist

City Union Bank is a large financial institution based in India, the world’s second most populous country. [Recently], cyber attackers attempted to fraudulently transfer nearly $2 million USD in three SWIFT transactions. I’m vaguely familiar with the international SWIFT money transfer system because I’m a Canadian who works for American and British companies and they send international direct deposits to me through SWIFT.

The three fraudulent money transfers were for $500,000, $372,150, and $1 million USD, to accounts based in China, Dubai, and Turkey.

The attackers simply disabled the printer City Union Bank uses to receive notification of SWIFT transactions. That was done on February 6th. What a sneaky and simple way to make sure that the theft isn’t noticed.

“Nobody suspected that it was an attack and thought it was a systemic network failure. The system department people, everybody assembled, analyzed the problem, rebooted, they closed shop only around 10-10.30 in the night,” said City Union Bank CEO N. Kamakodi.

That reminds me of how DDoS attacks are usually just a nuisance, but they can look like accidental systemic network failures. While a network administrator tries to get networking appliances and computers backup and running, a cyber attacker can use the opportunity to perform more harmful cyber attacks and be less likely to be noticed. I don’t know whether the City Union Bank cyber attack involved a Denial of Service, but some of the basic mechanics are the same. Take a device like the SWIFT printer offline so that you don’t get caught in your cyber attack.

On the morning of February 7th (local Indian time), administrators found the three fraudulent transactions while checking the records of the previous day’s activity.

“This is basically a cyber attack by international cyber criminals. So far (there is) no evidence of any internal staff involvement. We are very clear now the account holders are part of this conspiracy,” said Kamakodi.

It appears the attacks involved American currency, not India’s rupee.

City Union Bank was able to directly stop the $500,000 transfer to the Dubai-based account. The Turkish financial institution was able to block the transfer of $372,150 from their end. The $1 million transfer destined to a Chinese bank account is being dealt with by all of the banks involved, including the Bank of America based in New York.

February’s City Union Bank cyber attack is similar to an attack on Bangladesh Bank in 2016. From News 18:

“In the case of Bangladesh Bank, hackers infected the system with malware that disabled the SWIFT printer. Bank officials in Dhaka initially assumed there was simply a printer problem.

The hackers stole the money from Bangladesh Bank’s account at the Federal Reserve Bank of New York using fraudulent orders on SWIFT. The money was sent to accounts at Manila-based Rizal Commercial Banking Corp and then disappeared into the casino industry in the Philippines.

Nearly two years later, there is no word on who was responsible and Bangladesh Bank has been able to retrieve only about $15 million, mostly from a Manila junket operator.

‘We definitely see similarities between the Bangladesh case, and the similarities are being factored into the investigation,’ Kamakodi said.”

I frankly know little about the technicalities of SWIFT, or Interac, our similar system for money transfers between Canadian banks. A lot of that information is highly proprietary and possibly classified. Based on my observance of cyber attacks happening a lot more frequently to SWIFT than Interac, I believe non-Canadian banks should study the differences between SWIFT and Interac and consider using Interac as a model for security hardening SWIFT. If a SWIFT printer goes down, there should definitely be redundant systems so that all transactions can be monitored live even if some devices fail. Of course, the fact that SWIFT is used around the world and Interac is only used within Canada is a factor in Interac attacks being less frequent. But it would do no harm for the people behind SWIFT to examine Interac and see if there’s something they can learn!

This article was originally posted on Peerlyst.