Recent Cyber Security Attack Trends in Nepali Financial Sector

Saturday 8, 2019, Kathmandu

Recently, we observed more than NRs. 12 Million in cash sweep from ATMs in Nepal. Close observation by the bank’s staff and swift operation by Nepal Police led to capture of the individuals involved in the crime. While the details of forensic reports are yet to come out, the initial suspect is a malware injected into the ATM switch that connects ATM devices with banks for authentication and authorization of monetary transactions.  In the meantime, Nepal Rastra Bank has instructed the bank from whose ATMs the money was swept, to conduct a forensic lab test. Nepal Rastra Bank is also preparing a Cyber Security Directive for Banking and Financial Institutions (BFIs) in Nepal to strengthen cyber defense mechanisms. In 2018, Cosmos Bank, India lost almost USD 13.5 Million due to such an attack. According to the International Monetary Fund, BFIs have lost more than USD 100 Billion annually due to cyber attacks.  The amount accounts to nine percent (9%) of the annual income of the BFIs. 

Cyber attacks in BFIs are evolving into more sophisticated attacks. In 2018, two Nepali BFIs observed attack patterns of the Lazarus group on their servers. The attack, that is believed to be controlled by Lazarus group from North Korea, gets malware into server systems of banks then allows execution of commands the attackers send via Command and Control (CNC) Servers hosted on the Cloud. Lazarus group attack is aimed at withdrawing money from ATMs in local currency. These attack patterns in 2018 were identified by forensic analysis of the CNC server images. The threat information was shared with the banks before the actual incident occurred. The two BFIs took immediate action to protect their servers and the unfortunate event couldn’t happen. npCert was actively involved in informing the banks about prospective attach and advising proactive measures to be taken to the banks. In the recent attack, an abnormal pattern of cash withdrawal was observed by bank staff and shared with Nepal police that led to the capture of the individuals involved.

Both of these attacks were not detected by any sophisticated technology in Nepal. One common practice observed in both incidents was ‘threat intelligence sharing’. In 2018, different cybersecurity research firms such as npCert, ThaiCert, VISA, and Symantec shared the threat intelligence of attack pattern before the BFIs were exploited. In a recent attack, the bank duly informed Nepal Police about the activity. Threat intelligence sharing has been a key activity to protect organizations from the latest cyber attacks. Refraining from sharing threat intelligence or incidents would result in more devastating attacks.

Most of the BFIs in Nepal lack a sophisticated Security Operations Center (SOC) that enables automated monitoring of their computer and ATM networks for suspicious activities. A SOC monitors the incoming and outcoming network traffic as well as traffic that is internal to the BFI in real-time. Security analysts analyze network traffic patterns around the clock for any suspicious patterns. BFIs need to aggressively work towards implementing SOC to protect their networks. 

The role of Cyber Security Directive for BFIs is also crucial in preparing BFIs for proactive measures to be taken into consideration with immediate effect. Compliance with such a directive would ensure that the network and computers of BFIs are protected at least for most common vulnerabilities and attacks. 

BFIs need to adopt the latest technology to defend cybersecurity attacks. Continuous research on attack patterns, security tools and collaboration would prepare BFIs for next generation of attacks. As most of the information and services are delivered via digital media these days, the adoption of new technology is proliferating in the banking and financial sector. New technologies, though provide better services, are not free from vulnerabilities. In addition, preparing the human firewall for ethical practices and cyber hygiene is also very important.

Pramod Parajuli, PhD (Senior Vice Presient at npCert, AI Consultant and Risk Specialist)


Please enter your comment!
Please enter your name here