The cyberespionage attack on South Korea’s defence agency and the malware that stole data from over 2,000 financial cards by compromising 60 ATMs in the country were connected, Russian cybersecurity firm Kaspersky Lab said on Tuesday.
Kaspersky Lab found that the malicious code and techniques used in both attacks share similarities with earlier attacks widely attributed to the infamous Lazarus group — a North Korea-based hacking group responsible for series of attacks against commercial and government organisations globally.
“While neither the military nor the ATM attacks were huge and damaging, they are evidence of a worrying trend. South Korea has been the target of cyberespionage attacks since at least 2013, but this is the first time that its ATMs have been targeted purely for financial gain,” Seongsu Park, senior security researcher at Kaspersky Lab’s Global Research and Analysis Team, said in a statement.
“If the connections we found are accurate, this is yet another example of the Lazarus group turning its attention and considerable malicious arsenal to profiteering,” Park added.
In August 2016, a cyberattack on South Korea’s Ministry of National Defense infected nearly 3,000 hosts. The Defense Agency reported the incident publically in December 2016, admitting that some confidential information could have been exposed.
Six months later, at least 60 ATMs in South Korea, managed by a single local vendor, were compromised with malware.
This resulted in the theft of the details of 2,500 financial cards and the illegal withdrawal in Taiwan of nearly $2,500 from these accounts.
Exploring the connection between these attacks, Kaspersky Lab found similarities with the “DarkSeoul” malicious operations which are attributed to the Lazarus hacking group.
Lazarus is an active cybercriminal group believed to be behind a number of cyberattacks worldwide, including the Sony Pictures hack in 2014 and the $81 million Bangladesh Bank heist last year.