Vertical markets, Breach, Content

North Korea-backed BeagleBoyz Hacker Group Targets Banks

A North Korean-sponsored hacking group referred to as BeagleBoyz has re-ignited, after a brief lull, a six-year long, multi-country campaign to steal money through fraudulent bank transfers and ATM cash outs, four federal agencies warned in a new advisory.

The alert, jointly issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, the Federal Bureau of Investigation (FBI) and U.S. Cyber Command, identified malware and other indicators used by the North Korean government in the cyber robbery scheme, which federal officials dubbed “FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks.” The agencies pointed the finger at North Korea’s spy agency for the operation.

Officials described the cyber crew’s raids as “well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities” than typical cyber crimes. Their malicious cyber operations have netted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime.

New activity has been seen in the last seven month, officials said, with the hackers again zeroing in on taking down scores from banks. “Since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs. The recent resurgence follows a lull in bank targeting since late 2019,” the warning said.

BeagleBoyz have historically used spearphishing and infecting websites to gain initial access into targeted financial institutions. Most recently they’ve deployed social engineering tactics by carrying out job-application themed phishing attacks using publicly available malicious files, the alert said.

BeagleBoyz, which the feds said “represent a subset” of the notorious Hidden Cobra bunch, also “overlap to varying degrees” with the Lazarus and APT38 hackers, the notice said. The hackers are said to be behind a number of high profile heists, most notably the $81 million stolen from the Bank of Bangladesh in 2016 and the FastCash ATM attacks in 2018. All told, BeagleBoyz have attempted to steal nearly $2 billion since at least 2015, officials said.

The impact of their high stakes robberies is widespread. According to the U.S. agencies, fraudulent ATM cash outs have affected “upwards of 30 countries in a single incident. The conspirators have withdrawn cash from ATM machines operated by various unwitting banks in multiple countries, including in the U.S.” BeagleBoyz also uses unsuspecting banks, including some in the U.S., to execute their SWIFT fraud scheme.

In addition to the U.S., among the countries whose financial institutions BeagleBoyz has targeted since 2015 include Argentina, Chile, India, Japan, Mexico, South Korea, Spain and many others, according to the warning. China and Russia are notable exceptions to this point. BeagleBoyz also target cryptocurrency exchanges to steal large amounts of cryptocurrency, sometimes valued at hundreds of millions of dollars per incident, the alert said.

The agencies issued 15 best practices for all organizations to follow to strengthen their security posture:

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up to date.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ permissions to install and run unwanted software applications.
  • Enforce a strong password policy and require regular password changes.
  • Exercise caution when opening email attachments.
  • Enable a personal firewall on agency workstations and configure it to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments.
  • Restrict access to sites with unfavorable content.
  • Exercise caution when using removable media.
  • Scan all software downloaded from the internet before executing.
  • Maintain situational awareness of the latest threats.
  • Implement appropriate access control lists.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.