Published Date: 2018-08-14
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident at Cosmos Bank, where cyber criminals hacked the systems and siphoned off nearly 944 million rupees, happened on August 11, as mentioned in the article [74585]. Therefore, the software failure incident happened in August 2018. |
| System | 1. ATM server system 2. SWIFT global payments network 3. Main banking software's switching system 4. Proxy switching system created during the malware attack [74585] |
| Responsible Organization | 1. Cyber criminals hacked the systems of India's Cosmos Bank, leading to the software failure incident [Article 74585]. |
| Impacted Organization | 1. India's Cosmos Bank [Article 74585] |
| Software Causes | 1. Malware attack on the automated teller machine (ATM) server allowed hackers to steal customer information and make unauthorized withdrawals [74585]. 2. Creation of a proxy switch during the malware attack bypassed the main banking software's switching system, enabling fraudulent payment approvals [74585]. |
| Non-software Causes | 1. The cyber criminals hacked the systems of India's Cosmos Bank and siphoned off money through simultaneous withdrawals across 28 countries, indicating a breach in the bank's cybersecurity measures [Article 74585]. 2. The hackers stole customer information through a malware attack on the bank's ATM server, highlighting a vulnerability in the bank's network security [Article 74585]. 3. The hackers transferred funds to a Hong Kong-based company's account through unauthorized transactions over the SWIFT global payments network, suggesting a failure in the bank's transaction monitoring and authorization processes [Article 74585]. |
| Impacts | 1. The cyber criminals hacked the systems of India's Cosmos Bank and siphoned off nearly 944 million rupees ($13.5 million) through simultaneous withdrawals across 28 countries, leading to a significant financial loss for the bank and its customers [Article 74585]. 2. Unidentified hackers stole customer information through a malware attack on the bank's ATM server, resulting in the withdrawal of 805 million rupees in 14,849 transactions in just over two hours on Aug. 11, mainly overseas, impacting the security and trust of the bank's customers [Article 74585]. 3. The hackers also transferred 139 million rupees to a Hong Kong-based company's account by issuing three unauthorized transactions over the SWIFT global payments network, highlighting vulnerabilities in the bank's payment systems and potential risks associated with international transactions [Article 74585]. 4. The incident raised concerns about the security of the SWIFT messaging system, which is used to transfer trillions of dollars a day, emphasizing the need for enhanced cybersecurity measures in financial institutions to prevent such unauthorized transactions [Article 74585]. 5. The bank's main banking software was bypassed in the attack as a proxy switch was created, allowing fraudulent payment approvals to be passed by the proxy switching system, indicating a critical flaw in the bank's software infrastructure that was exploited by the hackers [Article 74585]. |
| Preventions | 1. Implementing robust cybersecurity measures such as regular security audits, penetration testing, and intrusion detection systems could have helped prevent the malware attack on the ATM server [Article 74585]. 2. Enhancing the security of the SWIFT global payments network by implementing additional authentication layers or transaction monitoring systems could have prevented the unauthorized transfers to the Hong Kong-based company's account [Article 74585]. 3. Strengthening the authentication and authorization processes within the banking software to detect and prevent the creation of proxy switches during a malware attack could have mitigated the fraudulent payment approvals passed by the proxy switching system [Article 74585]. |
| Fixes | 1. Implementing stronger cybersecurity measures to prevent malware attacks on the ATM server, such as regular security audits and updates [Article 74585]. 2. Enhancing the security of the switching system to prevent bypassing and creating proxy switches during attacks [Article 74585]. 3. Conducting thorough investigations to identify vulnerabilities in the system that allowed for simultaneous unauthorized transactions in multiple countries [Article 74585]. 4. Increasing awareness and training on cyber preparedness and defense mechanisms within the organization to prevent future incidents [Article 74585]. | References | 1. Cosmos Bank (source of the incident details) [Article 74585] 2. SWIFT (mentioned in relation to the unauthorized transactions) [Article 74585] 3. City Union Bank Ltd (mentioned in a similar incident in February) [Article 74585] 4. Bangladesh central bank (mentioned in a previous hacking incident) [Article 74585] 5. Nikhil Bedi, partner with Deloitte India (quoted on cyber preparedness) [Article 74585] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - The article mentions that in February, India's City Union Bank Ltd reported three "fraudulent remittances" of nearly $2 million that had been pushed through the SWIFT financial platform [74585]. - This indicates a similar incident of unauthorized transactions happening within the banking sector in India. (b) The software failure incident having happened again at multiple_organization: - The article references a previous incident in 2016 where unknown hackers stole more than $81 million from the Bangladesh central bank's account with the Federal Reserve Bank Of New York [74585]. - This suggests a recurring pattern of cyber attacks targeting financial institutions globally. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident at Cosmos Bank was attributed to a malware attack on its ATM server, which allowed cyber criminals to steal customer information and carry out unauthorized transactions. The bank mentioned that during the malware attack, a proxy switch was created, bypassing the main banking software's switching system and enabling fraudulent payment approvals to be passed [74585]. (b) The operation of the SWIFT global payments network was compromised in the Cosmos Bank incident, as hackers managed to transfer 139 million rupees to a Hong Kong-based company's account through three unauthorized transactions. This indicates a failure in the operation of the SWIFT system, allowing the fraudulent transactions to go through [74585]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident at Cosmos Bank was primarily due to a malware attack on its ATM server, which allowed hackers to steal customer information and conduct unauthorized transactions. The bank mentioned that a proxy switch was created during the attack, bypassing the main banking software's switching system [74585]. (b) outside_system: The hackers behind the incident managed to withdraw funds from ATMs in 28 countries and transfer money to a Hong Kong-based company's account. This indicates that the attack originated from outside the bank's system, involving international transactions and coordination across multiple locations [74585]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident at India's Cosmos Bank was primarily due to non-human actions, specifically a malware attack on its ATM server that allowed cyber criminals to steal customer information and carry out unauthorized transactions [74585]. The bank mentioned that a proxy switch was created during the malware attack, bypassing the main banking software's switching system and enabling fraudulent payment approvals to be passed [74585]. (b) The incident also involved human actions as the cyber criminals hacked the systems of the bank, stole customer information, and carried out unauthorized transactions. Additionally, the police were investigating the theft and had enlisted the help of experts to understand how authorized transactions were conducted simultaneously in various countries [74585]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident in the Cosmos Bank hacking incident was primarily due to a malware attack on the bank's ATM server, which allowed cyber criminals to steal customer information and carry out unauthorized transactions. The bank mentioned that a proxy switch was created during the malware attack, bypassing the main banking software's switching system [74585]. (b) The software failure incident was also attributed to the bank's main banking software being bypassed in the attack, leading to fraudulent payment approvals being passed by the proxy switching system created by the hackers. This indicates a failure originating in the software system of the bank [74585]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident at India's Cosmos Bank was malicious in nature. Cyber criminals hacked the bank's systems and siphoned off nearly 944 million rupees through simultaneous withdrawals across 28 countries. The hackers stole customer information through a malware attack on the bank's ATM server, making unauthorized transactions and transferring funds to a Hong Kong-based company's account [Article 74585]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | The software failure incident at India's Cosmos Bank was a result of poor decisions made by cyber criminals who hacked the bank's systems. The hackers utilized a malware attack on the bank's ATM server to steal customer information and carry out unauthorized transactions, including ATM withdrawals and transfers through the SWIFT global payments network [74585]. The bank mentioned that during the malware attack, a proxy switch was created, bypassing the main banking software's switching system, which allowed fraudulent payment approvals to be passed through the proxy switching system [74585]. This indicates that the failure was a result of poor decisions made by the hackers to exploit vulnerabilities in the bank's systems. |
| Capability (Incompetence/Accidental) | development_incompetence, unknown | (a) The software failure incident related to development incompetence is evident in the article as cyber criminals hacked the systems of India's Cosmos Bank by stealing customer information through a malware attack on its automated teller machine (ATM) server. The hackers were able to withdraw a significant amount of money through unauthorized transactions, indicating a breach in the bank's security measures [Article 74585]. (b) The software failure incident related to accidental factors is not explicitly mentioned in the article. |
| Duration | temporary | The software failure incident at Cosmos Bank, where cyber criminals hacked the systems and siphoned off funds, can be categorized as a temporary failure. This is evident from the fact that the hackers were able to conduct unauthorized transactions and withdrawals over a specific period, which was just over two hours on Aug. 11 [74585]. This indicates that the failure was temporary and not a permanent one. |
| Behaviour | omission, value, other | (a) crash: The software failure incident in the article does not specifically mention a crash where the system loses state and stops performing its intended functions. (b) omission: The incident involves the omission of the system to perform its intended functions as cyber criminals were able to steal customer information and carry out unauthorized transactions through a malware attack on the bank's ATM server [74585]. (c) timing: The timing of the software failure incident is not explicitly mentioned in the article. (d) value: The incident involves a failure in the system performing its intended functions incorrectly, leading to unauthorized transactions and siphoning off funds from the bank [74585]. (e) byzantine: The software failure incident does not exhibit a byzantine behavior with inconsistent responses and interactions. (f) other: The behavior of the software failure incident in the article can be categorized as a security breach due to cybercriminals hacking the bank's systems, stealing customer information, and carrying out fraudulent transactions [74585]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | processing_unit | (a) sensor: The software failure incident at Cosmos Bank was not directly related to a sensor error. The incident involved cyber criminals hacking the bank's systems and siphoning off money through ATM withdrawals and unauthorized transactions, indicating a breach in the bank's cybersecurity rather than a sensor error [Article 74585]. (b) actuator: The failure at Cosmos Bank was not attributed to an actuator error. The incident involved cyber criminals hacking the bank's systems and manipulating the banking software to approve fraudulent transactions, indicating a failure in the software system rather than an actuator error [Article 74585]. (c) processing_unit: The software failure incident at Cosmos Bank was related to a processing error. The bank mentioned that during the malware attack, a proxy switch was created, and all fraudulent payment approvals were passed by the proxy switching system, indicating a failure in the processing unit of the bank's software system [Article 74585]. (d) network_communication: The failure at Cosmos Bank was related to a network communication error. The hackers were able to transfer money overseas and conduct unauthorized transactions through the SWIFT global payments network, indicating a breach in the network communication system of the bank rather than a specific network communication error [Article 74585]. (e) embedded_software: The failure at Cosmos Bank was not directly attributed to an embedded software error. The incident involved cyber criminals hacking the bank's systems and manipulating the banking software to carry out fraudulent transactions, indicating a breach in the cybersecurity of the bank rather than an embedded software error [Article 74585]. |
| Communication | connectivity_level | The software failure incident reported in Article 74585 was related to the communication layer of the cyber physical system that failed at the connectivity_level. The incident involved a malware attack on the automated teller machine (ATM) server of India's Cosmos Bank, leading to unauthorized transactions and withdrawals. The bank mentioned that a proxy switch was created during the attack, bypassing the main banking software's switching system, which allowed fraudulent payment approvals to be passed through the proxy switching system. Additionally, the hackers transferred funds to a Hong Kong-based company's account using the SWIFT global payments network [74585]. |
| Application | TRUE | The software failure incident at Cosmos Bank, where cyber criminals hacked the systems and siphoned off funds, was related to the application layer of the cyber physical system. The bank mentioned that during the malware attack, a proxy switch was created, and all the fraudulent payment approvals were passed by the proxy switching system, bypassing the main banking software's switching system [74585]. This indicates that the failure was due to contributing factors introduced by bugs, operating system errors, unhandled exceptions, and incorrect usage at the application layer of the system. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property | (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident at India's Cosmos Bank resulted in cyber criminals hacking the bank's systems and siphoning off nearly 944 million rupees ($13.5 million) through unauthorized transactions. The hackers withdrew 805 million rupees in cash from ATMs in 28 countries and transferred 139 million rupees to a Hong Kong-based company's account through the SWIFT global payments network [Article 74585]. |
| Domain | finance | (a) The failed system was related to the finance industry as cyber criminals hacked the systems of India's Cosmos Bank and siphoned off nearly 944 million rupees through unauthorized transactions and ATM withdrawals [Article 74585]. |
Article ID: 74585