North Korean hackers steal millions from ATMs in Asia, Africa

Symantec's research team has uncovered the key component used in the group's recent wave of financial attacks. The operation, known as "FASTCash", enabled Lazarus to fraudulently empty ATMs of cash.

By Author  |  Published: 9th Nov 2018  6:53 pm
hackers
Representational image

New Delhi: North Korea-based infamous hacking group Lazarus is estimated to have stolen tens of millions of dollars from ATMs from banks in Asia and Africa, a new report from cyber security firm Symantec has revealed.

Symantec’s research team has uncovered the key component used in the group’s recent wave of financial attacks. The operation, known as “FASTCash”, enabled Lazarus to fraudulently empty ATMs of cash.

To make the fraudulent withdrawals, Lazarus first breaches targeted banks’ networks and compromises the switch application servers handling ATM transactions, Symantec said in a statement late Thursday.

It was not clear yet if ATMs in India were also affected. “On October 2, 2018, an alert was issued by US-CERT, the Department of Homeland Security, the Department of the Treasury, and the FBI. According to this new alert, Hidden Cobra (the US government’s code name for Lazarus) has been conducting “FASTCash” attacks, stealing money from Automated Teller Machines (ATMs) from banks in Asia and Africa since at least 2016,” said Symantec.

Lazarus is a hacking group which has been linked to a string of attacks against everything from banks to government agencies across the world, including the 2014 attack on Sony Pictures.
More recently, Lazarus has also become involved in financially motivated attacks, including an $81 million theft from the Bangladesh Central Bank and the “WannaCry” ransomware outbreak in May 2017.

According to the US government alert, one incident in 2017 saw cash withdrawn simultaneously from ATMs in over 30 different countries.

In another major incident in 2018, cash was taken from ATMs in 23 countries.
To date, the Lazarus FASTCash operation is estimated to have stolen tens of millions of dollars.
“Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs,” explained the Symantec team.

The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities.

“Lazarus continues to pose a serious threat to the financial sector and organisations should take all necessary steps to ensure that their payment systems are fully up to date and secured,” Symantec added.

Amid growing crypto-jacking episodes, Lazarus has also stolen cryptocurrencies worth more than half a billion dollars. According to The Next Web that cited findings from the annual report of cybersecurity vendor Group-IB last month, Lazarus was behind 14 hacking attacks on cryptocurrent exchanges since January 2017 — stealing $571 million.