North Korea-Affiliated Hackers Steal $13.5M from ATMs in 28 Countries

Hackers suspected of being affiliated with North Korea have stolen more than $13.5 million from ATMs in a sophisticated and highly coordinated attack.

The attack targeted about 14,800 ATMs across 28 countries belonging to India-based Cosmos Bank, The Independent reported. It took placed between Aug. 11 and Aug. 13 and involved 12,000 transactions totaling about 940 million rupees (about $13.5 million in U.S. currency).

Attackers were able to compromise Cosmos Bank’s SWIFT debit card payment system, which allowed them to self-approve transactions without the system checking for a genuine card or bank account. The cybercriminals then used fake debit cards to withdraw the stolen money from machines in Canada, Hong Kong, India and 25 other countries.

Notably, the attack came just days after the FBI sent out a confidential alert warning of an impending “ATM cash-out” attack targeting a single financial institution. The alert was sent to banks across the globe and was made public by cybersecurity journalist Brian Krebs.

“The FBI has obtained unspecified reporting indicating cybercriminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach,” the alert read.

Indian media first reported the breach and were also the first to link the attacks to similar cyber capers carried out by the Lazarus Group — a high-profile cybercrime organization with suspected ties to the North Korea government.

Cosmos Bank Chairman Milind Kale told the India Times that because of the international scale of the attack and the countries involved, it would take “coordinated efforts of all the agencies” to recover the stolen funds.

Kale added that the financial institution’s core banking or security systems were not impacted by the attack. Cosmos Bank has reportedly hired a forensics agency to help investigate the fraud.

Lazarus Group has been tied to similar attacks, including a heist that resulted in $951 million being stolen from Bangladesh Bank in April 2016.

Some cybersecurity experts believe Lazarus is made up of different sub-groups focused on different hacks, such as spying or financial attacks. Lazarus has also been tied to a breach of Sony Pictures in 2014 and the widespread WannaCry ransomware campaign carried out last year.