Lazarus hackers engage in ‘FASTCash’ scheme to steal tens of millions of dollars from ATMs

The notorious hackers have been striking ATMs since 2016 in a pivot from disruptive attacks such as WannaCry

Person entering their PIN number into an ATM machine

The North Korean hacking group behind the WannaCry ransomware attack that crippled the NHS has been stealing money from ATMs since at least 2016.

Cyber crime and espionage outfit Lazarus has gained a reputation for disruptive and politically-motivated attacks. But researchers have found evidence that reinforces claims the group has increasingly gravitated towards financial crime in recent years.

The group has been fraudulently emptying ATMs across Asia and Africa in an operation dubbed "FASTCash", according to Symantec, by breaching banks' networks, and injecting a malware into switch application servers that handle transactions.

The 'Trojan.Fastcash' malware, previously unknown to security researchers, intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, which in turn allows the attackers to steal cash from ATMs.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The attacks have so far been confined to Africa and Asia, and directed at the financial sector, but that's not to say Lazarus won't target the UK at some future data, according to security threat researcher at Symantec Dick O'Brien.

"Lazarus has, since 2016, diversified into financially motivated attacks. It began first by directly attacking banks, such as the Bangladesh bank heist, which netted it $81 million," O'Brien told IT Pro.

"We don't know for sure why they've shifted to ATM attacks, but it's likely that most banks became wise to the tactics they used in 2016 bank heists and beefed up their security, prompting Lazarus to find an alternative means of attack, another weak point."

One incident in 2017 saw cash withdrawn simultaneously from ATMs in over 30 different countries, according to an official US government alert issued earlier this month. Another major incident this year saw cash taken from 23 countries simultaneously, with the total FASTCash haul estimated at tens of millions of dollars.

In order to carry out a successful attack, the hackers first inject their malware into banking application servers running unsupported versions of the AIX operating system. This allows Lazarus to intercept fraudulent transaction requests, prevent them from reaching the switch application that processes transactions, as well as generate fake approvals.

"The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities," Symantec's security response attack investigation team said.

Advertisement - Article continues below

"As with the 2016 series of virtual bank heists, including the Bangladesh Bank heist, FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks."

Alongside disruptive operations such as the Sony Pictures hack, and malware that struck the Winter Olympics, Lazarus has often engaged in financially-motivated crime in recent years; most infamously the WannaCry ransomware attack.

The Department for Health and Social Care (DHSC) last month estimated the crippling attack cost the health service 92 million, with the vast majority of this sum spent on restoring services and recovering data.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/security/data-breaches/354611/misconfigured-security-command-exposes-250-million-microsoft-customer
data breaches

Misconfigured security command exposes 250 million Microsoft customer records

23 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/mobile/5g/354634/boris-johnson-accused-of-doing-a-bit-of-a-runner-from-huawei-5g-questions
5G

Boris Johnson accused of doing "a bit of a runner" from Huawei 5G questions

27 Jan 2020