It was recently reported in the media, that Union Bank, one of the leading Public sector banks in India, was hacked last year (July 2016). Funds to the tune of about $171 million was siphoned off, and a 7 country hunt had to be spearheaded at the top levels of government to reverse the theft.
Though the events involved in the breach itself are interesting and needs a detailed analysis, what caught my attention is how the Bank managed to track the trail of the fund transfer to the last mile and how quickly they recovered every single penny that was stolen, within a week’s time.
Gopika Gopakumar and Leslie D’Monte of Live Mint have the best analysis report of this incident, I’ve seen so far.
I highly recommend their report.
I have taken some excerpts from their report and shared my thoughts on them. Let’s get straight to how the hackers got into the Bank’s systems:
Phishing e-mails were sent to 15 email IDs. “Three people reported that the email was suspicious to the IT security. The other Union Bank employees were “technically-savvy” persons. They noticed that although the email address said @rbi.org.in, it had an attachment that a zip file. Within the zip file, there was a dot (xer) file and not a dot pdf file, which is why they reported it as suspicious”
I am curious to know how legitimate was the RBI email ID that was used here – if it was a real RBI domain and a valid RBI email address, then this is a matter of larger concern as this raises questions about RBI’s email system being hacked before this incident. This requires a lot more serious investigation.
If you look at these sequence of events, from Cyber Kill Chain perspective, this is a successful demonstration of “Delivery” followed by “Exploit & Installation”.
Then, the malware once downloaded on one system, started spreading across the Bank’s network and eventually onto the Bank’s servers, demonstrating a successful “Internal Recon”, followed by “Lateral movement”.
To me, this looks like a classic case of externally originating exploit attempt, followed by internal recon and lateral movement. Though it is easier said than done, I feel that a good security anomaly detection system would have been able to flag this off, considering the sequence of events revealed by this report – pre and post exploit. Also, I am curious to know what were the Intrusion and Anomaly detection tools and techniques the bank had deployed, which failed to detect these events occurring within the bank’s internal systems and network.
So, if the Bank didn’t detect these patterns while they were occurring, how did the Bank discover this anomaly? Thanks to SWIFT’s (Society for Worldwide Interbank Financial Telecommunication) daily reconciliation report, as Live Mint goes on to report:
“When a bank does a SWIFT transaction during the day, they typically get a reconciliation report the next day and all the corresponding banks send them the “end-of-the-day balance” report the following morning.
When Union Bank got it from the originating bank, they saw a difference of $170 million and that alerted them because of one mistake—the hackers deleted the six entries they had made.”
This is an interesting revelation of how the SWIFT system actually tracks any transaction anomalies, and I am sure this system is a lot more sophisticated. But what the hackers did, appears to be utterly dumb to me – deleting their transaction logs, whilst leaving the funds debit logs unchanged!
Coming to the recovery of the funds itself, and where it took the Bank a few extra days:
“One tricky negotiation was with the Taiwanese government with which India doesn’t have diplomatic ties, particularly as a court order was needed to secure the banking reversal instruction. However, with some pushing from U.S. officials, the entire $171 million was traced.”
It is commendable to see how the bank, worked with the Indian Govt. agencies, including CERT-IN and RBI, and other international banks in getting the money back in a few days. This entire episode is worth a case study on how other national and international banks should mobilise the right tools, people and government and inter-country legal processes, for executing an effective cybersecurity incident response procedure.
The CEO of SWIFT India, acknowledged the impact of cyber threats to the banking industry, and thanks to the various guidelines laid out by RBI (Reserve Bank of India), there appears to be good momentum amongst the public and private sector banks in India, in implementing cyber security controls in thwarting such security threats.
“Cyber threat is real and is growing”. According to him, the pace of digitization that we have seen in the last decade and at a more accelerated pace, requires the same level of investment on the cyber side as well. The regulator (RBI), he added, has introduced regulations around a CISO (chief information and security officer) directly reporting to the board. There is also a customer security programme where “we are now mandating 27 controls, of which 16 are mandates and 11 are advisory. If you don’t have 16, we will start reporting to the regulator.”
Though the Incident report of this breach will never be made public, and it shouldn’t, the most important learning from this incident, for other banks and the cyber security community, would be, to know what controls worked and what didn’t:
- both technical control in terms of the intrusion detection tools/techniques that worked and didn’t work, or could have worked (if the bank didn’t have them – for ex., Machine Learning based threat detection tools which can detect new/unknown patterns of threats a lot more efficiently than tradition systems”, and
- non-technical controls (security awareness initiatives amongst the bank’s employees, and the processes and SLA established between the Bank and CERT-IN, RBI, Legal depts (Cyber Vigilance committee), and the cross-border relations with other nations).
Finally, the fact that caught my attention and made me read more about the Union Bank hack – the recovery of the stolen funds – Kudos to the collaborative effort between the officials from Union Bank, Cert-In, RBI in not only investigating and tracking the trail of the money flow, but also recovering every cent of the theft, in 6 days. Great work!
One of my friends in the cyber security industry, posed a very logical question to me – if Google can keep a track of where am I going, what and where am I eating, what I am watching and what am I reading, inspite of me being in the general public domain and Google merely using the open internet to track all this, why is an Enterprise/Organisation, still unable to track the use of its own resources and assets by its entities (users, machines, devices), within the network that the organisation has provisioned and controls?