Kaspersky Lab connects cyber-attack on South Korean military with ATM theft – possible tie to Lazarus

Jul 10, 2017:

Following a detailed malware analysis, Kaspersky Lab researchers have connected a 2016 cyberespionage attack on South Korea’s defense agency with a later attack that infected 60 ATMs and stole the data from over 2,000 credit cards. Further, the malicious code and techniques used in both attacks share similarities with earlier attacks widely attributed to the infamous Lazarus group, responsible for series of devastating attacks against commercial and government organizations around the world.

In August 2016, a cyberattack on South Korea’s Ministry of National Defense infected around 3,000 hosts. The Defense Agency reported (Korean) the incident publically in December 2016, admitting that some confidential information could have been exposed.

Six months later, at least 60 ATMs in South Korea, managed by a single local vendor, were compromised with malware. The incident was reported (Korean) by the Financial Security Institute and, according to the Financial Supervisory Service, resulted in the theft of the details of 2,500 financial cards and the illegal withdrawal in Taiwan of approximately 2,500 USD from these accounts. Kaspersky Lab researched the malware used in the ATM incident and discovered that the machines were attacked with the same malicious code used to hit the Korean Ministry of National Defense in August 2016.

Exploring the connection between these attacks and earlier hacks, Kaspersky Lab has found similarities with the DarkSeoul malicious operations, and others, which are attributed to the Lazarus hacking group. The commonalities include, among other things, the use of the same decryption routines and obfuscation techniques, overlap in command and control infrastructure, and similarities in code.

Lazarus is an active cybercriminal group believed to be behind a number of massive and devastating cyberattacks worldwide including the Sony Pictures hack in 2014 and the $81 million Bangladesh Bank heist last year.

“While neither the military nor the ATM attacks were huge and damaging, they are evidence of a worrying trend. South Korea has been the target of cyberespionage attacks since at least 2013, but this is the first time that its ATMs have been targeted purely for financial gain. If the connections we found are accurate, this is yet another example of the Lazarus group turning its attention and considerable malicious arsenal to profiteering. Banks and other financial institutions need to fortify their defenses before it’s too late,” says Seongsu Park, Senior Security Researcher at Kaspersky Lab’s Global Research and Analysis Team (GReAT).

In order to reduce risk, Kaspersky Lab recommends implementing the following security measures:
  • Introduce an enterprise-wide fraud prevention strategy with special sections on ATM and internet banking security. Logical security, physical security of ATMs and fraud prevention measures should be addressed altogether as attacks are becoming more complex.
  • Ensure you have a comprehensive, multi-layered security solution in place. For financial organizations, we recommend using specialized solutions with Default Deny and File Integrity Monitor capabilities such as Kaspersky Embedded Systems Security. These solutions can detect any suspicious activity within the payment devices infrastructure. We also recommend implementing network segmentation for ATM or POS devices.
  • Conduct annual security audits and penetration tests. It is better to let professionals find vulnerabilities than to wait for them to be found by cybercriminals.
  • Consider investing in threat intelligence so that you can understand the rapidly evolving and emerging threat landscape and can help your organization and customers to prepare. Find out more at intelreports@kaspersky.com.
  • Train your employees so they can better spot suspicious emails that could be the first stage of an attack.