ATM
A new report from cybersecurity firm Symantec revealed that North Korea-based infamous hacking group Lazarus has been conducting “FASTCash” attacks and have stolen tens of millions of dollars from ATMs in Asia and Africa. In this image, an ATM machine on Third Avenue is seen in New York, May 10, 2013. TIMOTHY A. CLARY/AFP/Getty Images

A new report from cybersecurity firm Symantec revealed that North Korea-based infamous hacking group, Lazarus, has been conducting “FASTCash” attacks and has stolen tens of millions of dollars from ATMs in Asia and Africa.

"On Oct. 2, 2018, an alert was issued by US-CERT, the Department of Homeland Security, the Department of the Treasury, and the FBI. According to this new alert, Hidden Cobra (the US government's code name for Lazarus) has been conducting 'FASTCash' attacks, stealing money from Automated Teller Machines (ATMs) from banks in Asia and Africa since at least 2016," said Symantec.

The attackers steal cash from ATMs by hacking into the networks of the targeted banks. They then compromise the switch application servers handling ATM transactions by injecting a malicious Advanced Interactive eXecutive (AIX) and deploy a previously unknown malware (Trojan.Fastcash), which helps intercept fraudulent cash withdrawal requests and generate fake approval responses, CIOL reported. The executable contains codes to construct fraudulent ISO 8583 messages, a standard for financial transaction messaging.

The basic function of Trojan.Fastcash is monitoring the incoming messages and obstructing the attacker-generated fraudulent transaction requests from reaching the switch application that processes transactions. Once installed into the server, the malware scans for incoming ISO 8583 request messages.

It then scans the Primary Account Number (PAN) numbers in all messages. If it detects that any PAN number is that of the attackers, it modifies the message and then transmits a fake response message approving the fraudulent withdrawal requests, thus allowing the hackers to withdraw money.

The hacking group was involved in both cybercrime and espionage. It was initially known for its involvement in espionage operations and a number of high-profile disruptive attacks. This includes the attack on Sony Pictures in 2014 during which large amounts of information were stolen.

It was also involved in financially motivated attacks, including an $81 million theft from the Bangladesh Central Bank and the "WannaCry" ransomware outbreak in May 2017.

According to the U.S. government alert, one incident in 2017 saw cash withdrawn from ATMs in over 30 different countries simultaneously. In a similar incident this year, cash was taken from ATMs in 23 countries. The group has also stolen cryptocurrencies worth more than half a billion dollars.

“Lazarus continues to pose a serious threat to the financial sector and organizations should take all necessary steps to ensure that their payment systems are fully up to date and secured," Symantec said, India-based news outlet The News Minute reported.