Lazarus hackers engage in ‘FASTCash’ scheme to steal tens of millions of dollars from ATMs

The notorious hackers have been striking ATMs since 2016 in a pivot from disruptive attacks such as WannaCry

Person entering their PIN number into an ATM machine

The North Korean hacking group behind the WannaCry ransomware attack that crippled the NHS has been stealing money from ATMs since at least 2016.

Cyber crime and espionage outfit Lazarus has gained a reputation for disruptive and politically-motivated attacks. But researchers have found evidence that reinforces claims the group has increasingly gravitated towards financial crime in recent years.

The group has been fraudulently emptying ATMs across Asia and Africa in an operation dubbed "FASTCash", according to Symantec, by breaching banks' networks, and injecting a malware into switch application servers that handle transactions.

The 'Trojan.Fastcash' malware, previously unknown to security researchers, intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, which in turn allows the attackers to steal cash from ATMs.

The attacks have so far been confined to Africa and Asia, and directed at the financial sector, but that's not to say Lazarus won't target the UK at some future data, according to security threat researcher at Symantec Dick O'Brien.

"Lazarus has, since 2016, diversified into financially motivated attacks. It began first by directly attacking banks, such as the Bangladesh bank heist, which netted it $81 million," O'Brien told IT Pro.

"We don't know for sure why they've shifted to ATM attacks, but it's likely that most banks became wise to the tactics they used in 2016 bank heists and beefed up their security, prompting Lazarus to find an alternative means of attack, another weak point."

One incident in 2017 saw cash withdrawn simultaneously from ATMs in over 30 different countries, according to an official US government alert issued earlier this month. Another major incident this year saw cash taken from 23 countries simultaneously, with the total FASTCash haul estimated at tens of millions of dollars.

In order to carry out a successful attack, the hackers first inject their malware into banking application servers running unsupported versions of the AIX operating system. This allows Lazarus to intercept fraudulent transaction requests, prevent them from reaching the switch application that processes transactions, as well as generate fake approvals.

"The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities," Symantec's security response attack investigation team said.

"As with the 2016 series of virtual bank heists, including the Bangladesh Bank heist, FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks."

Alongside disruptive operations such as the Sony Pictures hack, and malware that struck the Winter Olympics, Lazarus has often engaged in financially-motivated crime in recent years; most infamously the WannaCry ransomware attack.

The Department for Health and Social Care (DHSC) last month estimated the crippling attack cost the health service 92 million, with the vast majority of this sum spent on restoring services and recovering data.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021
Report: Security staff excluded from app development
cyber security

Report: Security staff excluded from app development

20 Jan 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

20 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021

Most Popular

Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021