Kaspersky Lab connects cyber-attack on South Korean military with ATM theft – possible tie to Lazarus

 Kaspersky Lab researchers have connected a 2016 cyber espionage attack on South Korea’s defence agency with a later attack that infected 60 ATMs and stole the data from over 2,000 credit cards. Further, the malicious code and techniques used in both attacks share similarities with earlier attacks widely attributed to the infamous Lazarus group, responsible for series of devastating attacks against commercial and government organizations around the world.

In August 2016, a cyber attack on South Korea’s Ministry of National Defense infected around 3,000 hosts. The Defence Agency reported (Korean) the incident public ally in December 2016, admitting that some confidential information could have been exposed.
Six months later, at least 60 ATMs in South Korea, managed by a single local vendor, were compromised with malware. The incident was reported (Korean) by the Financial Security Institute and, according to the Financial Supervisory Service, resulted in the theft of the details of 2,500 financial cards and the illegal withdrawal in Taiwan of approximately 2,500 USD from these accounts. Kaspersky Lab researched the malware used in the ATM incident and discovered that the machines were attacked with the same malicious code used to hit the Korean Ministry of National Defence in August 2016.

Exploring the connection between these attacks and earlier hacks, Kaspersky Lab has found similarities with the Dark Seoul malicious operations, and others, which are attributed to the Lazarus hacking group. The commonalities include, among other things, the use of the same decryption routines and obfuscation techniques, overlap in command and control infrastructure, and similarities in code.
Lazarus is an active cyber criminal group believed to be behind a number of massive and devastating cyber attacks worldwide including the Sony Pictures hack in 2014 and the $81 million Bangladesh Bank heist last year.