Symantec said it has uncovered previously unknown malware behind dozens of large cyber robberies on automated teller machines (ATMs) linked to the state sponsored Lazarus hackers.
The North Korea-tied crew is now a serious threat to the banking industry, deploying the malicious code known as Trojan.Fastcash to infect ATMs and make off with millions of dollars in a two-year wave of cyber burglaries, Symantec said in a blog post. In particular, Lazarus has been tied to the $81 million heist from the Bangladesh Central Bank in 2016. Its reach also extends to other high profile cyber bombings, including the infamous attack on Sony Pictures in 2014 that cost the studio millions, and the destructive WannaCry ransomware assault last year.
“The recent wave of FastCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities,” Symantec wrote. Lazarus “possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks,” the security specialist said.
In tracing Lazarus' steps, Symantec figured that once the hackers have broken into a bank's network they infect the ATM servers with the Trojan.Fastcash malware. That enables the thieves to intercept bogus cash withdrawal requests and send fake approval responses to the ATM machines. Symantec said it has found several different variants of Trojan.Fastcash. Its researchers have posted a more in-depth analysis of the malware here.
In early October, US-CERT, the Department of Homeland Security, the Department of the Treasury, and the Federal Bureau of Investigation issued an alert that the Hidden Cobra hackers (the feds' code name for Lazarus), had been stealing money from ATMs in Asia and Africa since at least 2016. Lazarus is estimated to have rifled tens of millions of dollars to this point. According to the alert, in one incident last year Hidden Cobra withdrew cash from ATMs in 30 countries in a synchronized blitz. In another incident earlier this year, the hackers simultaneously stole cash from ATMs in 23 separate countries.
“The U.S. Government assesses that Hidden Cobra actors will continue to use FastCash tactics to target retail payment systems vulnerable to remote exploitation,” the alert said.
Last April, the same cyber gang was linked to a global data reconnaissance campaign aimed at critical infrastructure and the entertainment, finance, health care and telecommunications industries. The crew has also been tied to an attack on Turkish banks a month earlier. Security vendor McAfee said the assault on the Turkish financial system had similar markings to previous attacks by Hidden Cobra conducted against the SWIFT global financial network.