Symantec researchers dissect North Korean malware used in ATM attacks

The Lazarus Group's hacking scheme has triggered simultaneous withdrawals from ATMs in 23 countries this year alone.
North Korea
(Flickr / CC0)

As the North Korean government has felt the bite of international sanctions, its hackers have reportedly carried out damaging raids on financial institutions to raise cash. Few operations capture that naked ambition more clearly than a scheme that has reportedly stolen tens of millions of dollars from ATMs in Africa and Asia.

On Thursday, researchers from cybersecurity company Symantec detailed how the malware used in the ATM scheme intercepts fraudulent withdrawal requests and sends messages approving those withdrawals. The Lazarus Group, a broad set of North Korean hackers, is responsible for the so-called FastCash operation, according to Symantec.

“FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks,” Symantec researchers wrote in a blog post.

The scheme has triggered simultaneous withdrawals from ATMs in 23 countries this year alone, according to a U.S. government advisory issued last month. “The U.S. government assesses that [North Korean government] actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation,” the notice says. There have not been any reports of FASTCash incidents involving institutions in the United States.


The malware used, which Symantec labeled Trojan.Fastcash, will help determine how successful the scheme continues to be. The malicious code targets the switch application servers that underpin ATM transactions, using an executable to produce fraudulent messages that appear to adhere to an industry standard, Symantec researchers said.

Symantec also found multiple versions of the malware, each of which used “different response logic.” It is unclear why those variations were used, but the researchers said they could be tailored to attacking different banks.

In all of the documented attacks, Lazarus hackers have breached banking application servers running outdated versions of an operating system, according to Symantec. “Lazarus continues to pose a serious threat to the banking sector and organizations should take all necessary steps to ensure that their payment systems are fully secured,” the blog states.

While the U.S. government has blamed North Korea for a string of cyberattacks, from the 2014 Sony Pictures Entertainment attack to the 2017 WannaCry incident, Pyongyang’s computer operatives have been undeterred. In a private advisory to industry last month obtained by CyberScoop, the FBI conceded as much.

North Korean hackers’ targeting of financial institutions worldwide “will continue unabated, regardless of the U.S. government public attribution of North Korea,” the FBI notice says.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts