Hackers with links to the North Korean government used sophisticated trojan malware dubbed “Trojan.Fastcash” to steal tens of millions of dollars from ATMs across Asia and Africa, according to a new report from the cybersecurity firm Symantec.
The hacking group, known as Lazarus, used the malware to infect the servers controlling the ATMs, allowing them to intercept their own fraudulent transaction requests and withdraw cash.
Similar ATM attacks have been raising alarms since late 2016, according to a warning released last month by Homeland Security’s Computer Emergency Readiness Team (US-CERT), the organization responsible for analyzing and reducing cyber threats.
One event in 2017 saw cash simultaneously withdrawn from ATMs across 30 different countries, and another attack earlier this year saw cash withdrawn across 23 countries. Symantec notes that every FASTCash attack so far has hit servers running unsupported versions of its AIX operating system, suggesting that the vulnerabilities exploited by the hackers have since been patched.
The hack leads Symantec to believe that that Lazarus, the North Korea-linked group that’s thought to be behind these latest attacks, is now more motivated by stealing money rather than furthering the state’s agenda.
The group first gained international notoriety as a result of the Sony Pictures hack that resulted in the leak of the film The Interview — a comedy set in North Korea. However, since then their crimes have been much more financial in nature, including the theft of $81 million in the Bangladesh Bank robbery, and the WannaCry ransomware attacks.