Hacked: How $171 mn stolen from Union Bank was recovered

Even as the government marked Digital India Day, encouraging more Indians to move to banking online, investigators and cyber security agencies are battling more breaches of banking transfer security, admitting that “non-state” actors are increasingly targeting India.

Details are only just emerging of the biggest such hack of $171 million in July 2016, which necessitated a seven-country hunt that had to be spearheaded at the top levels of government to reverse the theft. The hack involved a transfer double the size of the Bangladesh Central Bank that lost $81 million in February 2016, but most details have been kept under wraps so far.

Chairman of the Union Bank of India Arun Tiwari as well as India’s cyber security chief, Dr. Gulshan Rai, who were involved in the operation, confirmed to The Hindu that while the attack was serious, all of the money had been retrieved within days.

We worked in record time with the Reserve Bank of India, bank authorities and government agencies coordinating efforts. The bank succeeded in blocking the transfer of funds and credited the entire amount in a record period of six days,” Mr. Rai, who is the country’s first Chief Information Security Officer, said.

Investigations have been carried out by different agencies. And whatever was suggested [to improve security], has been implemented,” Mr. Tiwari said.

Events unfolded on the evening of July 20, towards the end of the bank-week, officials said, piecing together the sequence. On that Thursday, a Union Bank of India official in the treasury department looking at SWIFT (Society for Worldwide Interbank Financial Telecommunication) payments was checking statements for the day from their dollar account, when he noticed a startling discrepancy. An amount of $171 million had been debited from the bank without his authorisation. He quickly raised a red flag to the bank’s top management about the transaction. “I haven’t authorised any such payment last night,” he reportedly told the bank’s management.

By then the money had found its way to at least five locations, including accounts in Cambodia’s Canadia Bank and RHB IndoChina Bank, Thailand’s Siam Commercial Bank, Bank Sinopac in Taiwan, and a bank in Australia. These funds were routed by Citibank New York and JP Morgan Chase New York, which hold UBI’s foreign exchange accounts.

MEA steps in

According to cybersleuths, who were brought into the investigation, the hacking had occurred by sending malware to a bank official, who mistakenly opened an email that enabled the robbery. By the next day, when the extent of the loss was known, senior officials of the Ministry of External Affairs and other offices in South Block were pressed into action to retrieve the money.

One tricky negotiation was with the Taiwanese government with which India doesn’t have diplomatic ties, particularly as a court order was needed to secure the banking reversal instruction. However, with some pushing from U.S. officials, the entire $171 million was traced.

As the money trickled back into their accounts, Union Bank officials heaved a sigh of relief. Despite the speed and efficiency of operations to recover the money, not much is known about the follow-up investigations. An FIR was filed only a month later on August 25 (FIR 243/2016) at Mumbai’s Cybercell, but bank officials said they had no information of further follow-ups including details of a charge sheet, or investigations in any of the six other countries involved.

We tracked, stopped, recovered,” Mr. Tiwari said, indicating that the bank considers the temporary $171 million loss a closed chapter now.

RBI pressure

Meanwhile, the Reserve Bank of India (RBI) has asked banks to put stricter systems in place, including appointing a Chief Information Security Officer (CISO). The RBI has also created a specialised cell (C-SITE) to conduct detailed IT examination of banks’ cyber security preparedness, to identify the gaps and to monitor the progress of remedial measures by 2017-18.

There is an increasing trend in incidents pertaining to theft of personal information, ” RBI deputy governor S.S. Mundra warned bankers at a seminar on Financial Crimes Management arranged by the Centre for Advanced Financial Research and Learning (CAFRAL) in February. CAFRAL is is an independent body set up by the central bank.

We have already witnessed an attempt to defraud a bank by abusing the SWIFT messaging system which thankfully could be salvaged post event without any apparent monetary loss. We also continue to receive information on several other cyber incidents — be it ransomware attack, ATM / Debit card incidents or unauthorised access to bank servers,” Mr. Mundra said.

Customers at risk

Of worry are also smaller hacks that defraud poorer, less educated customers unable to detect the fund transfers before it is too late to retrieve them. Last year, several banks were forced to replace or change PINs on 3.2 million cards after security was compromised by a malware that cost the banking industry ₹2 crore. State Bank of India — the country’s largest lender — had to reissue around six lakh debit cards to its customers.

On March 8 this year, the Pune-based Bank of Maharashtra filed an FIR with the Shivaji Nagar police station, after it detected at least ₹25 crore missing from various accounts. Cyber investigators tracked the problem to a UPI (Unified Payments Interface) solution from a local vendor, but couldn’t retrieve most of the money.

The National Payments Corporation of India (NPCI) also denied any question that the government’s much-advertised BHIM (Bharat Interface for Money) app is vulnerable “The environment in which BHIM or UPI is run by NPCI is highly secure and certified with best global practices like PCI DSS ISO 27001,” NPCI said in a statement.

Cyber terror threat

The trail from the Union Bank of India (UBI) could lead in many directions, say investigators, especially as cyber terror becomes a bigger threat than cybercrime. Parallels have already been drawn to the Bangladesh cyber attack, that used similar malware, and other attacks around the world including the 2014 hack of Sony Pictures Entertainment that crippled its network for weeks, a heist of $1 million from a Vietnamese bank Tieng Pho in 2015 and a cyber attack on Polish banks in February 2017.

Normally the perpetrators in such cases are hidden many layers below so called proxy servers. It becomes difficult to identify the real perpetrator. The present international legal framework presents several constraints in identifying the perpetrators,” said a senior cyber security and ICT official. He went on to warn that “non-state” actors are at the forefront of the attacks at the moment, but other linkages would need to be established.

Kiran Shetty, chief executive officer and sub regional head, Swift India said its systems have never been breached.

It was not a breach of SWIFT. We don’t have a control on bank environments. Our environments have never been compromised or breached,” he said.

While digital banking transactions have exploded, cyber security and cyber management have not kept pace,: Mr Shetty pointed out.

There are certain fundamentals to avoid such an incident like not sharing passwords, having firewalls in servers etc. If people take care of these, 85% of the cyber attacks could have been avoided,” he said adding that SWIFT has issued guidelines to its members to avoid any cyber breaches and some of the norms have been made mandatory.