Lazarus hackers engage in ‘FASTCash’ scheme to steal tens of millions of dollars from ATMs

The North Korean hacking group behind the WannaCry ransomware attack that crippled the NHS has been stealing money from ATMs since at least 2016.

Cyber crime and espionage outfit Lazarus has gained a reputation for disruptive and politically-motivated attacks. But researchers have found evidence that reinforces claims the group has increasingly gravitated towards financial crime in recent years.

The group has been fraudulently emptying ATMs across Asia and Africa in an operation dubbed "FASTCash", according to Symantec, by breaching banks' networks, and injecting a malware into switch application servers that handle transactions.

The 'Trojan.Fastcash' malware, previously unknown to security researchers, intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, which in turn allows the attackers to steal cash from ATMs.

The attacks have so far been confined to Africa and Asia, and directed at the financial sector, but that's not to say Lazarus won't target the UK at some future data, according to security threat researcher at Symantec Dick O'Brien.

"Lazarus has, since 2016, diversified into financially motivated attacks. It began first by directly attacking banks, such as the Bangladesh bank heist, which netted it $81 million," O'Brien told IT Pro.

"We don't know for sure why they've shifted to ATM attacks, but it's likely that most banks became wise to the tactics they used in 2016 bank heists and beefed up their security, prompting Lazarus to find an alternative means of attack, another weak point."

One incident in 2017 saw cash withdrawn simultaneously from ATMs in over 30 different countries, according to an official US government alert issued earlier this month. Another major incident this year saw cash taken from 23 countries simultaneously, with the total FASTCash haul estimated at tens of millions of dollars.

In order to carry out a successful attack, the hackers first inject their malware into banking application servers running unsupported versions of the AIX operating system. This allows Lazarus to intercept fraudulent transaction requests, prevent them from reaching the switch application that processes transactions, as well as generate fake approvals.

"The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities," Symantec's security response attack investigation team said.

"As with the 2016 series of virtual bank heists, including the Bangladesh Bank heist, FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks."

Alongside disruptive operations such as the Sony Pictures hack, and malware that struck the Winter Olympics, Lazarus has often engaged in financially-motivated crime in recent years; most infamously the WannaCry ransomware attack.

The Department for Health and Social Care (DHSC) last month estimated the crippling attack cost the health service 92 million, with the vast majority of this sum spent on restoring services and recovering data.