Lazarus hackers engage in ‘FASTCash’ scheme to steal tens of millions of dollars from ATMs

The notorious hackers have been striking ATMs since 2016 in a pivot from disruptive attacks such as WannaCry

Person entering their PIN number into an ATM machine

The North Korean hacking group behind the WannaCry ransomware attack that crippled the NHS has been stealing money from ATMs since at least 2016.

Cyber crime and espionage outfit Lazarus has gained a reputation for disruptive and politically-motivated attacks. But researchers have found evidence that reinforces claims the group has increasingly gravitated towards financial crime in recent years.

The group has been fraudulently emptying ATMs across Asia and Africa in an operation dubbed "FASTCash", according to Symantec, by breaching banks' networks, and injecting a malware into switch application servers that handle transactions.

The 'Trojan.Fastcash' malware, previously unknown to security researchers, intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, which in turn allows the attackers to steal cash from ATMs.

The attacks have so far been confined to Africa and Asia, and directed at the financial sector, but that's not to say Lazarus won't target the UK at some future data, according to security threat researcher at Symantec Dick O'Brien.

"Lazarus has, since 2016, diversified into financially motivated attacks. It began first by directly attacking banks, such as the Bangladesh bank heist, which netted it $81 million," O'Brien told IT Pro.

"We don't know for sure why they've shifted to ATM attacks, but it's likely that most banks became wise to the tactics they used in 2016 bank heists and beefed up their security, prompting Lazarus to find an alternative means of attack, another weak point."

One incident in 2017 saw cash withdrawn simultaneously from ATMs in over 30 different countries, according to an official US government alert issued earlier this month. Another major incident this year saw cash taken from 23 countries simultaneously, with the total FASTCash haul estimated at tens of millions of dollars.

In order to carry out a successful attack, the hackers first inject their malware into banking application servers running unsupported versions of the AIX operating system. This allows Lazarus to intercept fraudulent transaction requests, prevent them from reaching the switch application that processes transactions, as well as generate fake approvals.

"The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities," Symantec's security response attack investigation team said.

"As with the 2016 series of virtual bank heists, including the Bangladesh Bank heist, FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks."

Alongside disruptive operations such as the Sony Pictures hack, and malware that struck the Winter Olympics, Lazarus has often engaged in financially-motivated crime in recent years; most infamously the WannaCry ransomware attack.

The Department for Health and Social Care (DHSC) last month estimated the crippling attack cost the health service 92 million, with the vast majority of this sum spent on restoring services and recovering data.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

22 Apr 2021
What is hacktivism?
hacking

What is hacktivism?

22 Apr 2021
Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021
UK’s IoT security regulation will also include smartphones
Internet of Things (IoT)

UK’s IoT security regulation will also include smartphones

21 Apr 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021