How Union Bank was hacked and got its money back
Union Bank of India recently fell prey to hacking—robbing the lender of $171 million—but the hackers made a silly mistake
Mumbai: It was just another Friday for the hundreds of office goers who were jostling with each other to get to their own work places in and around the corporate office of the Union Bank of India at Nariman Point in Mumbai. Even those queuing up in the early hours at the cash counters across the 4,233 branches and 7,946 ATMs of the bank spread across India, were calmly going about their tasks— depositing money or withdrawing cash.
However, those early hours of 21 July 2016, were going to be anything but ordinary for the chairman and managing director of Union Bank, Arun Tiwari, who also sits in the corporate office—the Union Bank Bhavan. Happily going about his routine tasks of reading newspapers, sipping a cup of tea and updating himself of the goings-on in the bank, Tiwari was just settling in when his phone rang.
He still remembers the time. “It was around 10.30am when I was informed that an unidentified hacker was attempting to swindle us of $171 million (about Rs1,100 crore at today’s rates) from our Nostro account.” A Nostro account is an account that a bank holds in a foreign currency in another bank.
All hell should have broken loose. But Tiwari, who insists that he is a “non-technical” person kept his cool. “The thing uppermost in my mind was that I had to quickly get onto the money trail and recover the money.”
That was easier said than done. By the time the Union Bank official in the treasury department, who was reconciling the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payments for the day realized that an amount of $171 million had already been debited from the dollar account of the bank without his authorization, the money had travelled far and wide.
The money had found its way to accounts in two banks in Cambodia—the Canadia Bank Plc and RHB IndoChina Bank Ltd, besides the Siam Commercial Bank in Thailand, Bank Sinopac in Taiwan, and a bank in Australia. These funds were routed by Citibank New York and JP Morgan Chase New York, which hold UBI’s foreign exchange accounts.
Even as Tiwari informed the Reserve Bank of India (RBI), the ministry of external affairs and Gulshan Rai, director general of the Indian Computer Emergency Response Team (CERT-In), to apprise them of the matter and take advice, he simultaneously sent a terse message instructing all the staff at Union Bank Bhavan that “a whole floor on that building was to be cordoned off, and that all staff members working to solve this problem would only leave after the matter was resolved”.
“Inspection investigation was done by CERT-In, RBI, our own team,” Tiwari recalls, adding that he also appointed consulting firm EY “the same night”. EY said “as far operations are concerned, you are ahead of time. Whatever was required to be done, as a non-technical person, has already been done.”
How did it exactly happen?
First, the bank had to know what exactly had gone wrong and how the hackers got access to Union Bank’s servers. Did an insider assist in the task or was it a breach by an external device?
It appears, it was neither. Rather, it was an email from a very authentic source— (RBI)—with an attachment. “This email was sent to a few email IDs, and some of them were from customer care, e-banking and some were addressed to individuals too. It might have happened even before 20 July,” Tiwari recalls.
Kartik Shinde, partner, advisory services, EY, recalls receiving a call at 10pm that night. “Which PSU (public sector undertaking) bank in India has that ability to take that call? I know of two-three others, who started evaluating vendors, took prices from them. UBI said start the work and we will give whatever the fees. You need to have someone authoritative in the bank like the chairman who will take the call saying that I will take the necessary approvals from CVC (Central Vigilance Commission) and all others but get this analysis done sooner because the more time you spent analysing it, you are giving more lead time for attackers to cover up their tracks, to get out of the system,” he said.
It wasn’t that Union Bank was the specific target. Shinde insists that “I wouldn’t say it was a random pick. If I have to break into this network, I will send the payload or malware to all employees. It doesn’t matter who clicks on the link. The hacker simply wants to access the system from where he will do the transaction.”
This is also what happened in Union Bank’s case. The “phishing”—an attempt to obtain sensitive information such as usernames, passwords and other financial details by pretending to be a trustworthy entity—mails were sent to 15 email IDs. “Three people reported that the email was suspicious to the IT security. The other Union Bank employees were “technically-savvy” persons. They noticed that although the email address said @rbi.org.in, it had an attachment that a zip file. Within the zip file, there was a dot (xer) file and not a dot pdf file, which is why they reported it as suspicious,” Shinde said.
Unfortunately, one of the “not-so-tech-savvy” Union Bank officials fell prey to the phishing email and clicked on the link which released the malware that went viral on the bank’s servers. The hackers would have got their way and swindled the cash but for a silly mistake they made, according to Shinde.
When a bank does a SWIFT transaction during the day, they typically get a reconciliation report the next day and all the corresponding banks send them the “end-of-the-day balance” report the following morning.
When Union Bank got it from the originating bank, they saw a difference of $170 million and that alerted them because of one mistake—the hackers deleted the six entries they had made.
“That’s why we say it’s quite similar to the Bangladesh online heist (theft of $81 million from the central bank of Bangladesh in February 2016). If they had not deleted the entries, it would have taken some more time for the bank to realise that there are fraudulent transactions,” Shinde explained.
Every bank runs a reconciliation process at the end of the day. The malware that infected the central bank of Bangladesh, too, had a component which manipulated the SWIFT’s prt file. The prt file is a print file which usually prints the report of transactions for that day.
For instance, if the report shows 106 transactions when they have actually done only 100 transactions, the discrepancy will come to light. This is one reason why the hackers deleted the six transactions in the Union Bank episode.
However, this is also the reason that the hack was discovered.
So what did Union Bank do?
Shinde recalls some RBI officials being there when the forensics began.
“The CBI (Central Bureau of Investigation) had not come yet. The cybercrime cell officials were there. Traditional police mentality was it must be some insider,” Shinde said.
Even a First Information Report (FIR) was filed almost a month after the incident, according to Tiwari.
“It took us sometime to zero down on the fact that the attack was similar to what happened in the Bangladesh case,” Shinde explained.
EY officials went about doing an analysis of the server and “some network forensics”. They, thus, narrowed down on the systems involved. “Imaging takes 48 hours, indexing takes 24 hours. For instance, when you put a system to do imaging of the disk, it takes two days for a 2 terrabyte (TB) hard disk. There is a lot of time lag that happens. We had a tough time facing the regulators and security officers. It was a high-pressure environment. RBI used to call us every day, asking us what happened. We had to tell them that analysis takes time,” Shinde said.
The problem, according to Shinde, is that EY had access only to a “limited set of logs”.
Organizations, according to Shinde, typically keep logs in the system for a period of 2-4 months and not for 1-2 years. The reason is also that the data is humongous.
“If someone had the ability to analyse a two-year log, you’d have different answers coming out. It’s very difficult. So attribution of zeroing down on a particular geography is very difficult.”
In UBI’s case, the UBI employee was sitting in the Mumbai office. But he could have been anywhere. Given that networks of most organizations are flat, SWIFT networks are not segregated—one computer can reach the other computer very easily, according to Shinde. The objective of the attacker is to infect anyone and then start searching for critical systems within the network. In technical terms, it’s called lateral movement, Shinde explained.
After analyzing the problem with the “limited resources” on hand, Union Bank delinked its “380-odd SWIFT pan-India connections” in a bid to centralize operations. “Then we created space in this building (Union Bank Bhavan), and had around 40 hotline operators manning the phones. I had told them that nobody will leave till such time that this is put in place and tested,” Tiwari explained.
The ploy worked. As regulation necessitates, Union Bank informed the exchanges on 22 July that “…there was an attempted cyber incidence in USD Nostro Account of the bank. The money trail was promptly traced and movement of funds was blocked. Resultantly, there is no loss caused to the bank”.
“What pains me —in cricket, we call this a late run. The headlines (referring to reports that appeared a year after the heist) are screaming as if this happened yesterday,” Tiwari rued.
He added, “We had, and have, concurrent manual checks too. In all these kinds of heists, money is lost or partly retrieved. Credence must be given that we did not lose a single cent. We recovered about 70% of the money within 24 hours. The last tranche of $30 million took me 50-60 hours because of a legal process.”
But isn’t prevention better than cure?
Union Bank, according to the 22 July press statement to the exchanges, added that a cybersecurity forensic audit was being done to “identify, plug any gaps and strengthen the system. “There is no impact on the Bank’s operations,” the note concluded.
The question that begs an answer—one which even Tiwari could not answer satisfactorily—is who was to blame for the lapse: Union Bank or SWIFT?
Kiran Shetty, CEO of SWIFT India, insisted that “SWIFT’s system has not been compromised. We have not got a cyber report from Union Bank or any forensic report from them. The investigation is closely held by them. In most cases, when cyber attacks happen, people are not forthcoming with information. We have not been exposed to full details.”
“Globally, there are controls and principles we are defining. We are revisiting the vendors that we have in terms of our connection. We have never been compromised. We are only doing pieces to further strengthen the evolution of our system. We are doing roadshows across five cities in India along with the Indian Banks Association talking about cyber security controls, cyber hygiene, etc,” Shetty said.
Shetty, though, acknowledged that “cyber threat is real and is growing”. According to him, the pace of digitization that we have seen in the last decade and at a more accelerated pace, requires the same level of investment on the cyber side as well. The regulator (RBI), he added, has introduced regulations around a CISO (chief information and security officer) directly reporting to the board. There is also a customer security programme where “we are now mandating 27 controls, of which 16 are mandates and 11 are advisory. If you don’t have 16, we will start reporting to the regulator.”
Implementation of all these regulations will have to be done by the end of the year.
Even Tiwari expressed his inability to share a copy of the forensics report. “I cannot share further details because even I don’t have a copy,” he said.
Tiwari, however, pointed out that the measures his bank has undertaken after the incident last July included the “most stringent filtering, awareness of employees, whitelisting (proactive security technique that only allows a limited set of approved programs to run while blocking the others), BIOS passwords (to prevent external devices from accessing computers and servers) and engagement with regional office levels constantly”.
He added, though, that even as the bank was fortifying its IT platform “trying to see how to make your processes efficient”, he would not rule out future cyber attacks.
“We have put the best IT guys on the jobs and even a CISO but the fact is that however many locks you put on the door, a burglary can still take place. The point is to remain alert and put measures in place, which we have done already,” Tiwari insisted.
Shinde concurred that cyber crimes are well thought and well researched most of the times. Even when EY does cyber attack simulations, the first part is the reconnaissance phase.
“It’s like in any war on an attack, you first do a thorough reconnaissance on the target to see how weak they are, what controls are there, who to target first, what are the avenues for entry, how many avenues are there,” Shinde explained.
Shinde added that one can easily pick up and sniff out email addresses from employees putting news on groups, public forums.
“It’s possible that Union Bank, too, could have been targeted via a reconnaissance exercise. This is just one bank which has come out in the open. We don’t know how many banks are there who have gone through the same incident and not reported it to the regulator,” Shinde said, concluding, “Even if you fix everything, you cannot rule out the chance that it will not happen again. In UBI’s case, they responded faster. Today, the response time is critical.”
Incidents of hacking in recent times
—Federal prosecutors are investigating North Korea’s possible role in a SWIFT hack that resulted in the theft of $81 million from the central bank of Bangladesh in February 2016, according to a 15 April report in the New York Times. Security researchers found that traces of code used in the Bangladesh theft had been used in a cyber attack against Sony in 2014, which the Obama administration and security experts blamed North Korean hackers for carrying out, the report added. Soon after RBI asked Indian banks to immediately put in place a cyber security policy.
—Card data of 3.2 million customers was stolen between 25 May and 10 July in 2016 from a network of Yes Bank Ltd ATMs managed by Hitachi Payment Services Pvt. Ltd.
—Axis Bank reported cyber security breach in October 2016; malware found in its server; no monetary loss reported.
—Bank of Maharashtra lost Rs25 crore when a bug in the Unified Payments Interface (UPI) system allowed people to send money without having the necessary funds in their accounts earlier this year.
—On 8 April SBI ATM in Odisha spews out cash without any card being swiped. Physical malware attack suspected in these ATMs.