Thursday 6 April 2023

LAZARUS HEIST: The international ATM theft that bagged $14M in just over 2 hours

  Imagine yourself being an extra in a Bollywood film with the role of going to a cash point and withdrawing money. This was the case for several men in Maharashtra state who believed they were accepting a minor role in a movie, but were in fact being deceived into acting as money mules collecting cash in a bold bank heist.

The raid happened in August 2018 and targeted Cosmos Co-operative Bank, headquartered in Pune, India. On that calm Saturday afternoon, staff in the bank’s head office unexpectedly received a series of alarming messages.

They were from the card payment company Visa in the United States, which warned that it could see thousands of demands flooding in for huge cash withdrawals from automated teller machines from people seemingly using Cosmos Bank cards.

Nevertheless, when the Cosmos team investigated their own systems, no abnormal transactions were seen.

Almost half an hour later, just to be safe, they approved Visa to halt all transactions from Cosmos Bank cards. The following day, Visa shared the complete list of suspect transactions with the Cosmos head office. The list showed nearly 12,000 separate withdrawals from various ATMs around the world and the bank had lost almost $14 million.

Cosmos said unidentified hackers stole customer information through a malware attack on its ATM server, withdrawing $11 million in mostly overseas transactions.

Aside from the ATM withdrawals, the hackers transferred $3.69 million to a Hong Kong-based company’s account by issuing three unauthorized transactions over the SWIFT global payments network.

It was a daring crime defined by its massive scale and precise synchronization with the criminals robbing ATMs in 28 different countries, including the U.S., the United Kingdom, the United Arab Emirates and Russia. And it all occurred in two hours and 13 minutes.

The Maharashtra cybercrime unit was astonished to see CCTV footage of dozens of men walking up to a series of cashpoints, inserting bank cards and filling the notes into bags. “We were not aware of a money mule network like this,” said Inspector General Brijesh Singh, who headed the investigation.

Ultimately, investigators would track its origins back to a shady team of hackers called the Lazarus Group apparently at the bidding of the North Korean state. Despite being one of the poorest nations in the world, North Korea has a substantial part of its limited resources going toward producing nuclear weapons and ballistic missiles.

For that reason, the United Nations has put the country under arduous sanctions, making trade very restrictive.

According to U.S. authorities, the North Korean government is employing a gang of elite hackers to break into banks and financial institutions around the world to steal the money it requires to keep its economy afloat and finance its weapons program.

Lazarus Group is supervised by North Korea’s military intelligence agency

The Lazarus Group is said to be supervised by North Korea’s powerful military intelligence agency: the Reconnaissance General Bureau.

Cybersecurity experts named the group after the biblical figure Lazarus, who comes back from the dead. This is because once the group’s viruses enter computer networks, they are almost impossible to wipe out. They just come back from the dead.

The group initially gained worldwide prominence in 2014, when then-U.S. President Barack Obama accused North Korea of hacking into Sony Pictures Entertainment’s computer network.

The Federal Bureau of Investigation accused the hackers of conducting a cyberattack in retaliation for “The Interview,” a comedy-action film that portrayed the assassination of North Korean leader Kim Jong Un.  

The Lazarus Group has also been accused of attempting to steal $1 billion from Bangladesh’s central bank in 2016, and for starting the WannaCry cyberattack, which tried to draw out ransoms from victims around the world, including the National Heart Service (NHS) in Britain.

North Korea strongly denied the existence of the Lazarus Group, as well as the accusations of state-sponsored hacking.

Nonetheless, leading law enforcement organizations noted that North Korea’s hacks are more advanced, more brazen and more ambitious than ever.

For the Cosmos heist, the hackers utilized a technique called “jackpotting” because getting the ATM to spill its cash is like hitting the jackpot on a slot machine. The bank’s systems were originally compromised in the traditional way through a phishing email opened by an employee, which infected the computer network with malware.

The hackers would then manipulate a piece of software known as the ATM switch which sends messages to a bank to authorize a cashpoint withdrawal. This gave the hackers the power to permit ATM withdrawals from their associates anywhere in the world.

No comments:

Post a Comment