In October, newspaper readers suddenly woke up to the story of a massive cyberattack on the Indian banking sector. While details remained sketchy, the reports said that several banks had initiated a process to recall 3.2 million debit cards of their customers as a precautionary measure.
The cyberattack that took place on the banks and the way it was handled subsequently has underscored how vulnerable India really is to major cyberattacks that could have catastrophic consequences on critical infrastructure. Curiously, the government did not institute a major investigation into this incident. Instead, it depended on the compromised vendor, which runs the ATM networks for several banks, to institute an inquiry and accepted their findings without questioning them. No police investigation was ordered and no action was initiated to track down the people who had launched the attack.
These questions are critical at a time when the country is gearing up to put 1.2 billion Indians and foreign nationals residing in India on to the Aadhaar system, which aims to give every Indian resident a 12-digit biometrically linked identity number. By connecting several data bases to this system for authentication, the government is building a system that has huge national security considerations. How the government deals with major cyberattacks such as the one in October is a reflection of how insecure India is from complex cyberattacks.
When the attack came to light in October, nobody knew how the unprecedented breach had occurred and what had led to it. The attack compromised the sensitive banking data of millions of customers, making their accounts vulnerable to exploitation by the hackers.
The prime source of the breach was suspected by government’s security experts to be a Chennai-based company, Hitachi Payments Services Private Limited, a behemoth that runs over 52,000 ATMS, 90,000 mobile point of sale devices that process credit card payments in shops and restaurants and so handles sensitive data of millions of banking customers. A few days after the reports of the attack appeared, Loney Antony, the Managing Director of Hitachi Payments Services, denied that its security had been breached.
“We had appointed an external audit agency certified by the Payments Card Industry-Data Security [a body that certifies compliance to security standards set by the industry] in the first week of September, to check the security of our systems for any breach or compromise based on a few suspected transactions that were highlighted by banks for whom we manage ATM networks,” Antony told several media outlets. “The interim report published by the audit agency in September, does not suggest any breach/compromise in our systems. The final report is expected by mid-November.”
But in February this year, Hitachi Payments Services owned up to the breach and issued an official press release confirming that its systems had actually been compromised. Clearly, what Antony had stated in October was not accurate. The investigations were eventually handed over to another independent firm, SISA Information Security Private Limited, and they led to some major discoveries. The findings of the investigation remained confidential, and the details in the official release remained misleading, or at least sketchy at best. They official release was silent on the extent, nature, entities affected and reasons for the breach. The truth never came out.
One of the biggest breaches of the Indian banking sector was quietly buried to avoid any public scrutiny.
In a written reply to the Lok Sabha on March 17, the minister of state for finance Santosh Kumar Gangwarconfirmed that a breach had indeed taken place. Though the attackers had managed to infect 2.9 million cards, they managed to defraud only 3,291 of them.
But inquiries by Scroll.in have thrown up some disturbing facts.
The breach, it seems, did not take place between May 21, and July 11 last year, as the Hitachi Payments Services release claimed. According to several government officials from different entities with the mandate to protect cybersecurity who are familiar with the investigation, the breach was estimated to have taken place anything between a year to a year and a half earlier – sometime in 2015.
The hackers managed to penetrate the Hitachi Payments Services systems using several vulnerabilities, but it appears that initially they were not aware of what they had breached. The hackers took a while to figure out what they had hacked into, but they kept at it until they discovered that they were inside a payment switching system.
Hitachi Payments Services plays a critical role in the ATM network run by several banks. Every time customers go to an ATM, they enter the details of their bank account stored in the magnetic strip of their card. They then enter the PIN number, which is sent back to the bank’s server through encrypted channels to authenticate the customer. Once that authentication is done, the ATM carries out the desired transactions.
Hitachi Payments Services runs the servers that allows this process to take place. It is part of the network that is also facilitated by the National Payments Corporation of India, a special company floated by several banks to run the switches that allow all online banking transactions in India. (Incidentally, the National Payments Corporation of India is a key part of the Aadhaar network, and will be using its database to facilitate a host of financial online transactions based on the digital identity project.)
Investigations by Scroll.in also reveal how the attackers found a vulnerability in the Hitachi Payments Services systems. Sometime in 2015, Hitachi Payments Services had installed a new system to run its internal Human Resources functions. Investigators at SISA Information Security found several flaws in this software that led to the initial breach. But there were two other major slip-ups that allowed such a widespread breach.
The server running the Human Resources software was insecure, and it was placed within the secure de-militarised zone, created virtually, to protect the information on these banking network servers. The de-militarised zone ring-fences the servers and creates a secure zone that is created to prevent any cyberattacks. However, by placing an insecure server with a software that had several vulnerabilities, the de-militarised zone was severely compromised.
The hackers benefitted from another lucky coincidence. Hitachi Payments Services had an old proxy server, which served as a back up to the main server that it used to run the switching operations. Perhaps, due to lack of adequate oversight, this was forgotten and it continued to run without any major upgrades or security patches. This allowed the hackers to get into the system and start infecting the ATM machines that were connected to the Hitachi Payments Services network.
Yes Bank is one of the major customers for Hitachi Payments Services, and runs part of its ATM operations. The ATMs run on what is known as a WIN XFS system, which is considered quite old and vulnerable. According to at least three senior government officials who are familiar with the investigation, a number of ATMs of the Yes Bank ATM network run by Hitachi Payments Services was infected once the hackers breached their systems. As a result, every time a customer from any other bank used Yes Bank’s infected ATMs, they were also compromised – the Malware from the Yes Bank ATM infected the debit card used. When this infected debit card was used at ATMs of other banks, those also got infected. And this continued to spread.
The breach went undetected for so long that 2.9 million cards were eventually infected, according to the figures presented in Parliament by minister of state Santosh Kumar Gangwar.
To be clear, this was not the fault of Yes Bank. Their operations had been contracted to Hitachi Payments Services, which was in denial of the breach. As suspicious transactions started taking place in China and the United States, officials started waking up to the problem. Even at that stage, officials of the various banks under attack had not spoken to each other. So all of them flagged it as a “fraud” instead of attributing it to a malware attack by hackers. As Scroll.in reported in October last year, no one connected the dots.
In response to a detailed questionnaire, a Yes Bank spokesperson declined to comment on whether the systems run by Hitachi Payments Services had been compromised. The spokesperson maintained that “the queries shared by you are based on factually incorrect information”. He also pointed out that the breach had “not occurred in Yes Bank’s environment”. Technically, the breach indeed took place in the Hitachi Payment Services’ environment, who was one of their vendors to run a part of their ATM services.
Struggle for information
From denial to partial acceptance was a long road for Hitachi Payments Services as the digital forensic investigation by SISA Information Security Private Limited began to unearth many of factors that led to such a major vulnerability.
Strangely enough, an attack of this sophistication, size and complexity should have sent every major government agency into an overdrive. Instead, most of them were left struggling for information. Hitachi Payments Services did not even bother to inform at least two of the key agencies set up under the Information Technology Act to ensure India’s cybersecurity.
The Information Technology Act mandates the National Critical Information Infrastructure Protection Centre under section 70 (A) and Computer Emergency Response Team – India under 70 (B) as the two main national agencies for India’s cybersecurity. While the National Critical Information Infrastructure Protection Centre functions under the Prime Minister’s Office, the Computer Emergency Response works under the Ministry of Electronics and Information Security. Both agencies were kept out of the information loop.
By Hitachi Payments Services’ admission only two major bodies were informed – the banking regulator Reserve Bank of India and the National Payments Corporation of India, neither of which dealt with cybersecurity. Even a First Information Report, a basic requirement to start a formal investigation by the police, was not registered. Till date, no such FIR has been registered by Hitachi Payments Services.
Hitachi Payments Services statement
In response to a detailed questionnaire, Snigdha Nair and Tiju Easow of Hitachi Payments Services said: “All necessary containment measures were deployed by Hitachi Payment Services and all necessary regulatory bodies were kept informed from our end.” They declined to comment on why a FIR was never lodged to initiate a formal investigation by the government.
But even more disturbing is the fact that when Hitachi Payments Services became aware of the breach, it immediately started formatting the infected hard disks. This meant that everything on those disks would get wiped out, hampering a forensic investigation. At least three senior government officials Scroll.in spoke to and are aware of the investigation’s details, from October to now, confirmed this. Hitachi Payments Services’ response to this was the same: “All necessary containment measures were deployed.” However, the erasure of the data on the infected hard disks severely compromised a forensic investigation. Luckily, a hard disk had been configured to copy all the data during transactions and this helped the digital forensic experts to carry out their investigation. Without this back-up disk, the investigation would have gone completely cold. Perhaps, this can explain why Hitachi Payments Services was in denial mode in October last year, when the news about the breach broke.
Ideally, a joint team of the National Critical Information Infrastructure Protection Centre and Computer Emergency Response Team along with police investigators should have been called in to carry out a thorough investigation. With them out of the loop, only Reserve Bank of India and the National Payments Corporation of India were asked to deal with this. Ironically, they are not tasked with responding to a cybersecurity breach. None of them have either the charter or the expertise to handle a major cyber attack of this nature. The police have investigative powers under the Indian Penal Code and the Criminal Procedure Code, which are crucial to issue a request for information under a Mutual Legal Assistance Treaty. With no such data being sought from other countries, no one knows who carried out the attack.
These disclosures lead to a more disturbing fact. With Prime Minister Narendra Modi pushing his Digital India initiative as well as digital payments after demonetisation, the handling of the major cyberattack has exposed how vulnerable India really is.
SISA Information Security Private Limited, which was hired by Hitachi Payments Services
to carry out the investigation may have had the expertise, but lacked the legal powers to identify and go after the real attackers. In the absence of a formal investigation, the attackers got away, and may continue to exploit more critical systems in the future.
While SISA is bound by customer confidentiality not to reveal anything about their investigation, they sent a response to a detailed questionnaire confirming their role. “SISA, a Payment Security Specialist company was appointed by Hitachi Payment Services Pvt Ltd for conducting PCI [Payment Card Industry] forensic investigation,” said Nitin Bhavnagar, a senior official at SISA. Any Payment Card Breach has to be investigated by a PFI or Payment Forensics Investigator. “SISA respects client confidentiality in such forensic investigations and hence cannot go in detail. However what we can say is this attack was implemented in a sophisticated manner, not one which we normally experience. The hackers know that they are dealing with payment data which can be monetised quickly unlike incidents where personal information are stolen because there would need to go further a few more steps to monetise. SISA has submitted the report to Hitachi and we understand the report was forwarded to all respective authorities including Government of India.”
The fact that this was “implemented in a sophisticated manner”, which needs many resources that aren’t available to routine everyday hackers, suggested the possibility of a state actor having been responsible. In fact, the whole financial sector – banks, insurance and financial services – are mandated as a “Critical Sector” by the government. A critical sector, as defined by the government under the Information Technology Act, is any sector, an attack on which could have catastrophic consequences for India’s security. Therefore, it is inexplicable why Hitachi Payments Services did not follow up such a breach with a FIR, to start with, and the whole affair was dealt in such a lackadaisical manner.
Meanwhile, the attackers who worked on this “sophisticated attack” have gone scot-free. India will probably never know who they were and continues to be vulnerable to future attacks.