U.S. government agencies have sounded an alert about the activities of a North Korean hacker group, dubbed the BeagleBoyz, that is carrying out sophisticated cyber-enabled ATM cash-out campaigns to rob banks and other financial institutions.
In an alert issued Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA), Treasury, FBI, and USCYBERCOM said the BeagleBoyz have resumed their ATM cash-out campaigns that they have been conducting since 2015 with remarkable success. Money stolen by the cyber crime group is used by the North Korean regime to develop UN-prohibited nuclear weapons and ballistic missile programmes.
The agencies said the North Korean hacker group has been carrying out fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, deploying malware into the computer networks of banks, and fraudently withdrawing money from ATMs to steal nearly $2 billion.
The BeagleBoyz is an element of the North Korean government’s Reconnaissance General Bureau and its activities frequently overlap with the activities of other North Korean hacker groups such as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima.
“North Korea’s BeagleBoyz are responsible for the sophisticated cyber-enabled ATM cash-out campaigns identified publicly as “FASTCash” in October 2018. Since 2016, the BeagleBoyz have perpetrated the FASTCash scheme, targeting banks’ retail payment system infrastructure (i.e., switch application servers processing International Standards Organization [ISO] 8583 messages, which is the standard for financial transaction messaging).
“As opposed to typical cybercrime, the group likely conducts well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities. Their malicious cyber operations have netted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime. The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection.
“Over time, their operations have become increasingly complex and destructive. The tools and implants employed by this group are consistently complex and demonstrate a strong focus on effectiveness and operational security,” the agencies warned.
They added that in the past few years, BeagleBoyz targeted banks and financial institutions in a large number of countries, including rgentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Chile, Costa Rica, Ecuador, Ghana, India, Indonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mexico, Mozambique, Nepal, Nicaragua, Nigeria, Pakistan, Panama, Peru, Philippines, Singapore, South Africa, South Korea, Spain, Taiwan, Tanzania, Togo, Turkey, Uganda, Uruguay, Vietnam, and Zambia.
Aside from using various techniques to target banks and financial institutions, the hacker group also targets cryptocurrency exchanges to steal large amounts of cryptocurrency, sometimes valued at hundreds of millions of dollars per incident.
“Cryptocurrency offers the BeagleBoyz an irreversible method of theft that can be converted into fiat currency because the permanent nature of cryptocurrency transfers do not allow for claw-back mechanisms. Working with U.S. Government partners, CISA, Treasury, FBI, and USCYBERCOM identified COPPERHEDGE as the tool of choice for the BeagleBoyz to exploit cryptocurrency exchanges. COPPERHEDGE is a full-featured remote access tool capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data,” they added.
Commenting on the activities perpetrated by the BeagleBoyz, Chris Hauk, Consumer Privacy Champion at Pixel Privacy, said that we can expect to see an increase in attacks like this, as the North Koreans and similar regimes face reduced financial support from China, Russia, and other financiers.
“Banks and other financial institutions should step up efforts to educate employees and executives as to the dangers of spearphishing and watering holes, in order to lessen the chances of their falling for such old but proven phishing techniques,” he said.