South Korean Cyberattacks – From Military To ATM

Spread the love


Following a detailed malware analysis, Kaspersky Lab researchers have connected two South Korean cyberattacks affecting their defence agency as well as 60 ATMs and over 2,000 credit cards.

The malicious code and techniques used in both cyberattacks share similarities with earlier cyberattacks widely attributed to the infamous Lazarus group.

At the Kaspersky Lab Palaeontology of Cybersecurity conferenceSeongsu ParkSenior Security Researcher, Global Research & Analysis Team, APAC, detailed how Kaspersky GReAT researchers traced the disparate South Korean cyberattacks and found the similarities that connected them.

The South Korean Cyberattacks - From Military To ATM

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!


South Korean Cyberattacks – From Military To ATM

In August 2016, a cyberattack on South Korea’s Ministry of National Defense infected around 3,000 hosts. The Defense Agency reported the incident publically in December 2016, admitting that some confidential information could have been exposed.

Six months later, at least 60 South Korean ATMs, managed by a single local vendor, were compromised with malware. The incident was reported by the Financial Security Institute and, according to the Financial Supervisory Service (FSS), resulted in the theft of the details of 2,500 financial cards and the illegal withdrawal in Taiwan of approximately US$ 2,500 from these accounts.

Kaspersky Lab researched the malware used in the ATM incident and discovered that the machines were attacked with the same malicious code used to hit the Korean Ministry of National Defense in August 2016. Exploring the connection between these attacks and earlier hacks, Kaspersky Lab has found similarities with the DarkSeoul malicious operations, and others, which are attributed to the Lazarus hacking group.

The commonalities include, among other things, the use of the same decryption routines and obfuscation techniques, overlap in command and control infrastructure, and similarities in code.

What Is The Lazarus Group?

Lazarus is an active cybercriminal group believed to be behind a number of massive and devastating cyberattacks worldwide including the Sony Pictures hack in 2014 and the $81 million Bangladesh Bank heist last year.

Preventive Measures

In order to reduce risk, Kaspersky Lab recommends implementing the following security measures:

  • Introduce an enterprise-wide fraud prevention strategy with special sections on ATM and internet banking security. Logical security, physical security of ATMs and fraud prevention measures should be addressed altogether as attacks are becoming more complex.[adrotate group=”2″]
  • Ensure you have a comprehensive, multi-layered security solution in place. For financial organizations, we recommend using specialized solutions with Default Deny and File Integrity Monitor capabilities such as Kaspersky Embedded Systems Security. These solutions can detect any suspicious activity within the payment devices infrastructure. We also recommend implementing network segmentation for ATM or POS devices.
  • Conduct annual security audits and penetration tests. It is better to let professionals find vulnerabilities than to wait for them to be found by cybercriminals.
  • Consider investing in threat intelligence so that you can understand the rapidly evolving and emerging threat landscape and can help your organization and customers to prepare. Find out more at [email protected].
  • Train your employees so they can better spot suspicious emails that could be the first stage of an attack.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!

Next Page > The South Korean Cyberattacks Presentation Slides


Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

About The Author

Leave a Reply