A bank in India has lost $13.5 million in a cyber attack that targeted the systems that authorise ATM transactions - just days after the FBI warned of an imminent ‘cash out' attack.
In the warning, the FBI suggested that the attackers had been able to compromise a bank's internal systems, and were preparing to exploit it by taking millions of dollars out of cash machines worldwide, probably over one weekend.
That warning was issued on Friday. This week, India's Cosmos Cooperative Bank admitted that it was attacked over the weekend - almost precisely in the manner described by the FBI in its warning, which had been published on Friday.
The attack has been linked with North Korea's Lazarus Group, although detailed forensics have yet to take place.
India's Cosmos Cooperative Bank claims that it lost the $13.5 million in around 12,000 ATM transactions after the security of the systems that authorise its ATM transactions were evaded and malware suspending these systems installed.
ATMs and cloned cards were then used by associates of the criminal gang around the world to ‘monetise' their attack. The Bank's SWIFT international payments systems were also, it seems, compromised in the attack.
The 12,000 ATM transactions were carried out over last weekend, between 11 August and 13 August, Cosmos Bank chairman Milind Kale has admitted, with a sizeable SWIFT transaction executed on Monday.
"In two days, hackers withdrew a total 780 million rupees ($11.1m) from various ATMs in 28 countries, including Canada, Hong Kong and a few ATMs in India, and another 25 million rupees ($356,000) were taken out within India," he said.
On Monday 13 August, the attackers also transferred 139.2 million rupees ($2m) to a Hong Kong-based bank by using the Bank's compromised SWIFT international payments system, according to the Economic Times of India.
In total, some $13.5 million was stolen from the Bank, although given the extent of the compromise that figure could rise.
The Economic Times suggests that "the fraud involved breaching the firewall in servers that authorise ATM transactions. After this, a proxy server was created and transactions authorised by the fake or proxy server.
"This meant that the ATMs were being directed to release money without checking whether the cards were genuine or whether there was a bank account."
This account accords with the warning given by the FBI on Friday, as first reported by independent security journalist Brian Krebs.
"The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores," the FBI warned.
"At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards."
Kale was keen to reassure customers that their main bank accounts were safe. "Our security systems have not been compromised," said Kale, adding that the Bank's systems had been inspected by the Reserve Bank of India (RBI), India's central bank, in July and found to be perfectly secure.
He continued: "The bank turned off its servers and all internet banking applications after noticing several erratic and abnormally high transactions.
"These transactions happened over two hours and 13 minutes and were spread across 28 countries where cloned cards were used to debit several amounts ranging from $100 (6,900 rupees) to $2,500 (1.7 lakh rupees)."
It was, though, the RBI that alerted Cosmos Bank about the anomalous activity.
The Bank has pointed the finger of blame at Lazarus Group, which has been blamed for a string of attacks on banks' SWIFT payments systems across the world, most notoriously when it tried to transfer $951 million from Bangladesh Bank, the central bank of Bangladesh.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago