[BreachExchange] U.S. Links North Korean Government to ATM Hacks
destry at riskbasedsecurity.com
Wed Oct 3 20:27:44 EDT 2018
The United States Department of Homeland Security (DHS), Department of
the Treasury (Treasury), and Federal Bureau of Investigation (FBI)
this week released a joint technical alert to share information on an
Automated Teller Machine (ATM) cash-out scheme attributed to the North
The financially-motivated malicious campaign was attributed to the
North Korea-linked threat actor the U.S. government refers to as
Hidden Cobra, but which is better known in the infosec community as
the Lazarus Group.
Considered the most serious threat to banks, the actor is believed to
have orchestrated the $81 million heist from the Bangladesh bank. This
year, the group was said to have been involved in numerous attacks
against financial institutions and banks and to have also shown
interest in crypto-currencies.
Last year, the U.S. started sharing details on the activity associated
with Hidden Cobra, including information on the tools the actor
employs in attacks, including malware such as Typeframe, Joanap and
Brambul, Fallchil, and others. In September, U.S. authorities charged
a North Korean national over his alleged involvement with Lazarus.
The most recent alert issued by the U.S. government on Hidden Cobra
details FASTCash, a set of tactics the group has been using since at
least 2016 to target banks in Africa and Asia and maintain presence on
the victims’ networks for further exploitation.
As part of the FASTCash schemes, hackers remotely compromise payment
switch application servers within banks to perform fraudulent
transactions. The use of these tactics was highly successful and the
group is expected to continue using them to target retail payment
systems vulnerable to remote exploitation.
“According to a trusted partner’s estimation, HIDDEN COBRA actors have
stolen tens of millions of dollars. In one incident in 2017, HIDDEN
COBRA actors enabled cash to be simultaneously withdrawn from ATMs
located in over 30 different countries. In another incident in 2018,
HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from
ATMs in 23 different countries,” the joint alert reads.
The actor allegedly configured and deployed legitimate scripts on
compromised servers to intercept legitimate financial requests and
reply to them with fraudulent responses. The group leveraged knowledge
of the standard for financial transaction messaging and other tactics
to exploit the targeted systems.
The deployed scripts apparently inspected inbound financial request
messages for specific primary account numbers (PANs) and could
generate fraudulent responses only for the requests that matched the
While the initial infection vector hasn’t been identified, Lazarus is
known for the use of spear-phishing emails in targeted attacks against
bank employees and might have employed Windows-based malware “to
explore a bank’s network to identify the payment switch application
server.” Lateral movement was likely performed leveraging legitimate
Alongside the joint alert, the DHS also published a malware analysis
report (MAR-10201537) to provide details on the malware Hidden Cobra
used as part of the FASTCash attacks. Of a total of 10 files submitted
for analysis, four were found to be malicious, 2 were command-line
utility applications, 3 were apps offering export functions and
methods to interact with financial systems, and 1 was a log file.
The identified malicious programs include Trojans and various
backdoors that could retrieve system information, find and manipulate
files, execute and terminate processes, download and upload files, and
execute commands. In addition to Windows, the Trojans targeted IBM’s
Advanced Interactive Executive (AIX) platform, which was running on
the compromised payment switch application servers.
The FASTCash scheme only appears to have targeted banks in Africa and
Asia, with no incidents observed in the U.S.
More information about the BreachExchange