Lazarus hackers engage in ‘FASTCash’ scheme to steal tens of millions of dollars from ATMs

The notorious hackers have been striking ATMs since 2016 in a pivot from disruptive attacks such as WannaCry

Person entering their PIN number into an ATM machine

The North Korean hacking group behind the WannaCry ransomware attack that crippled the NHS has been stealing money from ATMs since at least 2016.

Cyber crime and espionage outfit Lazarus has gained a reputation for disruptive and politically-motivated attacks. But researchers have found evidence that reinforces claims the group has increasingly gravitated towards financial crime in recent years.

The group has been fraudulently emptying ATMs across Asia and Africa in an operation dubbed "FASTCash", according to Symantec, by breaching banks' networks, and injecting a malware into switch application servers that handle transactions.

The 'Trojan.Fastcash' malware, previously unknown to security researchers, intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, which in turn allows the attackers to steal cash from ATMs.

The attacks have so far been confined to Africa and Asia, and directed at the financial sector, but that's not to say Lazarus won't target the UK at some future data, according to security threat researcher at Symantec Dick O'Brien.

"Lazarus has, since 2016, diversified into financially motivated attacks. It began first by directly attacking banks, such as the Bangladesh bank heist, which netted it $81 million," O'Brien told IT Pro.

"We don't know for sure why they've shifted to ATM attacks, but it's likely that most banks became wise to the tactics they used in 2016 bank heists and beefed up their security, prompting Lazarus to find an alternative means of attack, another weak point."

One incident in 2017 saw cash withdrawn simultaneously from ATMs in over 30 different countries, according to an official US government alert issued earlier this month. Another major incident this year saw cash taken from 23 countries simultaneously, with the total FASTCash haul estimated at tens of millions of dollars.

In order to carry out a successful attack, the hackers first inject their malware into banking application servers running unsupported versions of the AIX operating system. This allows Lazarus to intercept fraudulent transaction requests, prevent them from reaching the switch application that processes transactions, as well as generate fake approvals.

"The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities," Symantec's security response attack investigation team said.

"As with the 2016 series of virtual bank heists, including the Bangladesh Bank heist, FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks."

Alongside disruptive operations such as the Sony Pictures hack, and malware that struck the Winter Olympics, Lazarus has often engaged in financially-motivated crime in recent years; most infamously the WannaCry ransomware attack.

The Department for Health and Social Care (DHSC) last month estimated the crippling attack cost the health service 92 million, with the vast majority of this sum spent on restoring services and recovering data.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

12 Nov 2021