Lazarus hackers stole millions from ATMs in Africa and Asia

Lazarus hacking group has been stealing money from ATMs across Africa and Asia since 2016

North Korea-based Lazarus group targeted banks in Asia and Africa and stole more than 10 million dollars from their ATMs.

After some break, Lazarus hacking group appears in the headlines. This time, hackers are found to be responsible for using FASTCash Trojan horse to attack ATMs all over the world. Since 2016, they managed to steal up to 10 million from banks across Asia and Africa.^[1] According to a report from Symantec, Lazarus used this trojan to infect the servers that controlled ATMs and, in this way, got the permission to intercept their transaction requests and get cash.^[2]

The North Korea-linked hacker group has been involved in espionage and cybercrime since 2014 or earlier.^[3] Based on the report from Homeland Security Computer Emergency Readiness Team, similar ATMS attacks have been reported since 2016.^[4] The organization responsible for analyzing and reducing the cyber threat risks stated:

Since at least late 2016, HIDDEN COBRA actors have used FASTCash tactics to target banks in Africa and Asia. At the time of this TA’s publication, the U.S. Government has not confirmed any FASTCash incidents affecting institutions within the United States.

The functionality behind Trojan.Fastcash

The trojan horse, which was discovered not so long ago, was used on the first week of November 2018. It spreads using spear phishing email campaigns^[5] and injects the code on the system. The process this malware runs is developed to communicate with financial systems that utilize ISO8583 standard.

In this ATM attack, the Lazarus group focused on hacking the targeted banks and their networks to compromise the switch of servers used to run ATM transactions. When the server is compromised, trojan turns cash withdrawal requests to direct approvals, and this way attacker can steal cash from the machine directly.

Two primary functions of this malware are to monitor incoming messages and responses. Also, the virus is supposed to monitor fraudulent transactions that attackers generate to prevent them from reaching the switch app that processes transactions. It also contains the functionality that generates fraudulent responses to direct transaction requests.

Notorious Lazarus hacker group and their activity

According to the reports from the U.S government, Lazarus ATM cash withdrawals have stolen more than 10 million dollars since 2016. In 2017, over 30 different countries encountered these incidents. This year, major attack affected 23 separate countries.

The hacker group became known in 2014 when they proliferated the attack on Sony Pictures. This espionage operation resulted in the loss of personal information about employees and confidential communications. According to FBI, the intrusion into the SPEs network consisted of destructive malware.

Another massive attack involved ransomware called WannaCry^[6] that affected a huge part of the world. Already known as a notorious cryptovirus, WannaCry still comes up with new versions. After being detected in 2017, it affected more than 230 000 machines in more than 150 countries in a few days alone. This ransomware uses EtternalBlue exploit kit and hits merely companies or organizations.