T’was the 16th of May 2016. Creatures were stirring, mice included. It was raining, which tended to put a damper on things (pun intended). Overall, it was to be your average Sunday. Little did we know, it was to be far from it.
Commercial Bank of Ceylon PLC is one of the leading commercial banks in Sri Lanka with approximately 250 branches and 625 ATMs. According to sources, the bank was infiltrated online by a group of hackers who then proceeded to dump the data from their databases into public servers. The group, dubbed the Bozkurtlar hacking group, is reportedly also responsible for posting seven other data dumps from banks in the Middle East and Asia since the 26th of April this year.
They are believed to have tie-ins from Turkey and have released data from five South Asian banks on May 10. Furthermore, they also dumped data online from UAE-based InvestBank on May 7 and data from Qatar National Bank on April 26.
What Data Was Leaked From Commercial Bank?
It appears that the data leaked from the hack relate in its entirety to the contents of the corporate website of the bank and no personal customer data or payment card information has been leaked. This can be considered a relief for some whereas it could be problematic for others. That’s not the most troubling part though; the dump appears to have occurred in November of last year, suggesting the hack took place before that.
Similar to the other bank hackings, the attackers notified the ISMG (International Security Media Group) and others via Twitter about the file dump, which was then taken down relatively quickly. Commercial Bank of Ceylon’s web services were also briefly taken down following the notification and returned to its full functionality on the 13th of May.
As for the dump itself, it contains around 158,276 files in 22,901 folders totaling around 7GB of uncompressed data. The contents range from annual reports, application forms, bank financial statements, and numerous other filed needed for the front-end web services of the bank’s corporate section.
Using an SQL Injection attack, the attackers uploaded a script that enables remote access and administration onto the bank’s PHP server. Bozkurtlar attackers further posted on Twitter that they would continue to post data from Asian and Middle Eastern banks, after the first dump of data from the Qatar National Bank.
Given the lack of a message from the group, many people are questioning the motives of the Bozkurtlar attackers
Using SQL injection as a tool has gained its share of popularity with hackers and white hat researchers alike, simply because of its ease-of-use where at the literal click of a button, you can launch an attack.
The SQL Injection used for these cases is dubbed “Havij” and was written by Farshad Shahbazi, a security researcher at Iranian security firm the ITSecTeam, who also goes by hacker moniker r3dm0v3. Released in 2009, the tool grew in popularity with hackers all over the world. In addition to the Commercial Bank of Ceylon attack, the tool supposedly was also used in attacks against Kathmandu, Nepal-based Sanima Bank and Dhaka and Bangladesh-based Dutch Bangla Bank. The Qatar National Bank breach also involved an SQL injection and Web Shell combination, but it remains unclear if it involved the Havij tool.
Commercial Bank Is yet to issue a statement of the affairs
When asked for a comment or a reply with regard to the hack, Commercial Bank of Ceylon did not immediately issue a statement. As of publishing this article, they have yet to comment or issue a statement. and as time of publishing, have declined to do so. For a bank, security is paramount. Yet, no system is 100% secure. That’s why the response you give to stakeholders (corporate or not), especially customers is important.
Thus far, Combank has reacted poorly in this regard. There have been no statements online via social media or even an email explaining the situation to customers.. We understand that the Bank is going through a rough patch at the moment but a few words of consolation would indeed soothe the savage beast.
But Wait, there’s more
This is not the first time that a Sri Lankan Bank has been the victim of data theft. Just recently, Sri Lankan authorities launched a probe into a dubious NGO located in Sri Lanka that tried to sneak in millions of US dollars stolen by Chinese hackers from the Bangladesh Central Bank.
Apart from that, a worldwide gang of criminals stole financial records amounting to $45 million within a few hours by hacking their way into a database of prepaid debit cards and then draining ATM machines in many countries, including in Sri Lanka.
According to sources, it was dubbed the largest ATM fraud scheme in Sri Lanka thus far. Gone are the days when Hackers use their skills to bring down entire networks. Now they live on those same networks and steal data from them.
That is still not scary as a ATC (Air Traffic Controller) losing communication with 85 other airborne crafts. According to The Times Of India, A communication breakdown between Kolkata’s air traffic control and 85 airborne crafts put almost 25,000 lives at stake for 10 painstaking minutes before communication was restored. They go on to state that the issue was with the BSNL and mention factors such as Red-tapism, but even so, this is indeed a deadly action that can have disastrous consequences.
The question we must ask ourselves is: Are we ready to face such a situation? If not, what can we do to when we know the worst is coming?
As of the 16th fo May 2016, Commercial Bank has issued a statement confirming that their website was indeed hacked and that the bank took appropriate corrective steps. The attack was immediately notified to the relevant authorities.They also confirmed that no sensitive information was leaked and that they are taking all necessary precautions to ensure the privacy and safety of their customers. They further added that they have engaged with external parties to review their systems and to ensure that no further flaws are present in their systems.