North Korean hackers targeting ATMs around the world



Security experts this week identified a highly sophisticated hacking group as the mastermind behind a troublesome spate of cyber attacks that have left financial firms across the world rattled since 2016.

Drawing links between a spate of global cyber attacks orchestrated by a gang of cybercriminals, experts have managed to unmask a malware attack dubbed Operation FASTCash.

Operation FASTCash, which is aimed at swindling banks off all their moolah, targets Automated Teller Machines (ATMs) across several countries, wiping them out at the same time and within a split second.

The malware attack, which has targeted countries across Asia and Africa since 2016, began spreading to other continents more rampantly this year.

Last month, authorities in the U.S. expressed concerns over the dramatic rise in the number of similar attacks in recent months and sounded a global alert.

The U.S. government used the code name ‘Hidden Cobra’ for the Lazarus Group, which has previously been blamed for “malicious cyber activity by the North Korean government.”

What you need to know

On October 2, the U.S.-CERT, the Department of Homeland Security, the Department of the Treasury, and the FBI issued an alert attributing the spate of global ATM attacks to ‘Hidden Cobra.’

In the alert, the U.S. government agencies estimated that till date, the Lazarus group has stolen tens of millions of dollars across 30 different countries through its ‘Operation FASTCash.’

The alert pointed out, “DHS, Treasury, and FBI identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme.”

The statement also identified specific cases, pointing out that an incident in 2017 saw cash being withdrawn simultaneously from ATMs in over 30 different countries.

It also detailed another major incident that took place this year, in which cash was wiped out from ATMs in 23 separate countries.

U.S officials noted that the group had “exploited the targeted systems by using their knowledge of International Standards Organization (ISO) 8583—the standard for financial transaction messaging… Actors most likely deployed ISO 8583 libraries on the targeted switch application servers.”

Weeks after the U.S. alert was issued, this week, the cybersecurity firm Symantec released findings of its own investigation into the coordinated cyber attacks on ATMs.

While Symantec too accuses the Lazarus Group of carrying out the FASTCash attacks, its investigation led to a key revelation – that the notorious hackers infect banking networks with the Trojan FASTcash.

Symantec explained in its report that in a bid to make fraudulent withdrawals, Lazarus first breaches the networks of the targeted banks.

Then, the group compromises the switch application servers handling ATM transactions.

The cybersecurity firm noted that once the breach has taken place, ‘Trojan.Fastcash’ malware is deployed, which then intercepts ‘fraudulent’ Lazarus cash withdrawal requests and sends fake approval responses.

This, Symantec claims, allows hackers to make away with cash from ATMs.

In its report, Symantec wrote, “It is clear that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks.”

The firm also warned, “The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus Group and can now be considered one of its core activities.”

Unmasking the global crooks

After remaining shrouded in mystery for the better part of their decade-long existence, the notorious group of hackers operating as the ‘Lazarus Group’ managed to operate discreetly, until an appalling cyberattack in 2014 gave them away.

In November 2014, a group of hackers breached the system at the prominent U.S. company Sony Pictures Entertainment with a file wiper attack – leaving the company’s systems crippled and leaking terabytes of data related to the company online – for the world to see.

The data leaked online included confidential memos and emails exchanged between the company’s top management and some high-profile public personalities and celebrities.

A hacker group that identified itself as ‘The Guardians of Peace’ claimed responsibility for the attack and said that the attack was carried out to protest the release of a Sony Pictures film starring Seth Rogan and James Franco called ‘The Interview.’

While the Federal Bureau of Investigation (FBI) had just initiated an investigation into the cyber attack – the group was immediately linked to North Korea.

The movie that angered the hackers narrated a fictional story of two American journalists being recruited by a U.S. spy agency to assassinate Kim Jong Un – the leader of the reclusive nuclear nation, North Korea – whom they are set to interview.

A year after the cyber attack, the FBI officially blamed North Korea for the breach that was declared a “serious national security matter” by the then U.S. President Barack Obama.

However, the Lazarus Group was blamed for an even bigger and a much more boggling cyber attack two years later – which earned the group global infamy and the title of being one of the world’s most dangerous group of cybercriminals.

In February 2016, cybersecurity firms, just like the rest of the world expressed outrage and shock when a hacking gang unveiled its ambitious plans to steal a whopping $851 million from the Central Bank of Bangladesh.

The hackers managed to transfer $81 million from the bank’s unprotected network.

Multilayered investigations lasting several months eventually led to the unmasking of the cybercrooks behind the appalling heist – the ‘Lazarus Group,’ which is dubbed as ‘Hidden Cobra’ by the U.S.

Since then, the notorious gang has been blamed for a series of disruption, sabotage, financial theft or espionage attacks by cyber investigators across the globe.

While some security experts have tracked the group’s activity dating back to the year 2009, the Lazarus Group was most recently blamed for the 2017 WannaCry ransomware attack – which caused global chaos.

The WannaCry ransomware attack infected over 300,000 computers, crippling systems across 100 countries, including the Americas, Europe, Russia and China.

In 2013, the group was blamed for attacking South Korean media and financial companies in two separate cyber espionage operations called ‘Operation Troy’ and ‘Operation DarkSeoul.’

According to experts, including Symantec and U.S. government agencies – the FASTCash attack, WannaCry ransomware and the Sony breach – all bear the same set of fingerprints belonging to the Lazarus Group.

‘Operation FASTCash’ is being dubbed as the world’s biggest and most damaging ATM theft so far.