Kaspersky Lab connects
cyber-attack on South Korean military with ATM theft – possible tie to Lazarus
cyber-attack on South Korean military with ATM theft – possible tie to Lazarus
11 July 2017
Following a detailed malware analysis, Kaspersky
Lab researchers have connected a 2016 cyberespionage attack on South Korea’s
defense agency with a later attack that infected 60 ATMs and stole the data from over 2,000 credit cards. Further, the malicious code and
techniques used in both attacks share similarities with earlier attacks widely
attributed to the infamous Lazarus group, responsible for series of devastating
attacks against commercial and government organizations around the world.
Lab researchers have connected a 2016 cyberespionage attack on South Korea’s
defense agency with a later attack that infected 60 ATMs and stole the data from over 2,000 credit cards. Further, the malicious code and
techniques used in both attacks share similarities with earlier attacks widely
attributed to the infamous Lazarus group, responsible for series of devastating
attacks against commercial and government organizations around the world.
In August 2016, a cyberattack on South Korea’s Ministry of National
Defense infected around 3,000 hosts. The Defense Agency reported (Korean) the incident publically in December
2016, admitting that some confidential information could have been exposed.
Defense infected around 3,000 hosts. The Defense Agency reported (Korean) the incident publically in December
2016, admitting that some confidential information could have been exposed.
Six months later, at least 60 ATMs in South
Korea, managed by a single local vendor, were compromised with malware. The incident was reported (Korean) by the Financial Security Institute
and, according to the Financial Supervisory Service, resulted in the theft of the details of
2,500 financial cards and the illegal withdrawal in Taiwan of approximately 2,500 USD from these accounts. Kaspersky Lab researched the malware used in
the ATM incident and discovered that the machines were attacked with the same malicious code used to hit the
Korean Ministry of National Defense in August 2016.
Korea, managed by a single local vendor, were compromised with malware. The incident was reported (Korean) by the Financial Security Institute
and, according to the Financial Supervisory Service, resulted in the theft of the details of
2,500 financial cards and the illegal withdrawal in Taiwan of approximately 2,500 USD from these accounts. Kaspersky Lab researched the malware used in
the ATM incident and discovered that the machines were attacked with the same malicious code used to hit the
Korean Ministry of National Defense in August 2016.
Exploring the connection between these attacks
and earlier hacks, Kaspersky Lab has found similarities with the DarkSeoul malicious operations, and others, which are attributed to the Lazarus hacking
group. The commonalities include, among other things, the use of the same
decryption routines and obfuscation techniques, overlap in command and control
infrastructure, and similarities in code.
and earlier hacks, Kaspersky Lab has found similarities with the DarkSeoul malicious operations, and others, which are attributed to the Lazarus hacking
group. The commonalities include, among other things, the use of the same
decryption routines and obfuscation techniques, overlap in command and control
infrastructure, and similarities in code.
Lazarus is an active cybercriminal group believed to
be behind a number of massive and devastating cyberattacks worldwide including
the Sony Pictures hack in 2014 and the $81 million Bangladesh Bank heist last
year.
be behind a number of massive and devastating cyberattacks worldwide including
the Sony Pictures hack in 2014 and the $81 million Bangladesh Bank heist last
year.
“While
neither the military nor the ATM attacks were huge and damaging, they are
evidence of a worrying trend. South
Korea has been the target of cyberespionage attacks since at least 2013, but
this is the first time that its ATMs have been targeted purely for financial
gain. If the connections we found are
accurate, this is yet another example of the Lazarus group turning its
attention and considerable malicious arsenal to profiteering. Banks and other financial institutions need
to fortify their defenses before it’s too late,” says Seongsu Park, Senior
Security Researcher at Kaspersky Lab’s Global Research and Analysis Team
(GReAT).
neither the military nor the ATM attacks were huge and damaging, they are
evidence of a worrying trend. South
Korea has been the target of cyberespionage attacks since at least 2013, but
this is the first time that its ATMs have been targeted purely for financial
gain. If the connections we found are
accurate, this is yet another example of the Lazarus group turning its
attention and considerable malicious arsenal to profiteering. Banks and other financial institutions need
to fortify their defenses before it’s too late,” says Seongsu Park, Senior
Security Researcher at Kaspersky Lab’s Global Research and Analysis Team
(GReAT).
In order to reduce risk, Kaspersky Lab
recommends implementing the following security measures:
recommends implementing the following security measures:
·
Introduce
an enterprise-wide fraud prevention strategy with special sections on ATM and
internet banking security. Logical security, physical security of ATMs and
fraud prevention measures should be addressed altogether as attacks are
becoming more complex.
Introduce
an enterprise-wide fraud prevention strategy with special sections on ATM and
internet banking security. Logical security, physical security of ATMs and
fraud prevention measures should be addressed altogether as attacks are
becoming more complex.
- Ensure you have a
comprehensive, multi-layered security solution in place. For financial
organizations, we recommend using specialized solutions with Default Deny and File Integrity Monitor
capabilities such as Kaspersky Embedded Systems Security. These solutions can detect any suspicious activity within the
payment devices infrastructure. We also recommend implementing network
segmentation for ATM or POS devices.
·
Conduct
annual security audits and penetration tests. It is better to let professionals
find vulnerabilities than to wait for them to be found by cybercriminals.
Conduct
annual security audits and penetration tests. It is better to let professionals
find vulnerabilities than to wait for them to be found by cybercriminals.
- Consider investing in threat
intelligence so that you can understand the rapidly evolving and emerging
threat landscape and can help your organization and customers to
prepare. Find
out more at intelreports@kaspersky.com.
- Train your employees so they
can better spot suspicious emails that could be the first stage of an
attack.
About Kaspersky Lab
Kaspersky Lab is a global
cybersecurity company celebrating its 20 year anniversary in 2017. Kaspersky
Lab’s deep threat intelligence and security expertise is constantly
transforming into security solutions and services to protect businesses,
critical infrastructure, governments and consumers around the globe. The
company’s comprehensive security portfolio includes leading endpoint protection
and a number of specialized security solutions and services to fight
sophisticated and evolving digital threats. Over 400 million users are
protected by Kaspersky Lab technologies and we help 270,000 corporate clients
protect what matters most to them. Learn more at www.kaspersky.com.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
