The US government has issued an alert about an active hacking team that has used malware to help them steal millions of dollars from banks around the world.
A North Korean government-backed hacking group, known as the BeagleBoyz, are named as the group responsible for the attacks which are estimated to have attempted to steal as much as US $2 billion through ATM cashouts, abuse of the banking industry’s SWIFT money transfer network, and attacks on cryptocurrency exchanges.
Perhaps most infamously, the BeagleBoyz – a subset of the Hidden Cobra cybercrime group, also known variously as Lazarus, the Guardians of Peace, or Whois Team – are being blamed for the attempted theft of US $1 billion from the Bank of Bangladesh in 2016.
That attack was foiled by a careless typo by one the hackers, although the hackers still managed to get away with $81 million.
According to the US-CERT alert, there has been a resurgence in the state-sponsored BeagleBoyz hacking group’s activities against banks since February 2020, seemingly in an attempt to fund the regime in North Korea.
What would North Korea want so much money for? Well, the US government advisory gives one chilling possible explanation:
This illicit behavior has been identified by the United Nations (UN) DPRK Panel of Experts as evasion of UN Security Council resolutions, as it generates substantial revenue for North Korea. North Korea can use these funds for its UN-prohibited nuclear weapons and ballistic missile programs.
Techniques used by the BeagleBoyz to create an initial bridgehead, giving them access to a financial institution’s targeted network include:
- Sending a malware-infected email attachment to individuals working in the financial industry.
- “Watering hole” attacks, where a website known to be visited by people who work in the banking sector is compromised, infecting visiting computers with a malicious drive-by download.
- Exploitation of a vulnerability in an internet-facing computer system (such as a database or web server).
- Stealing login credentials from privileged users to bypass access controls.
- Target organisations, suppliers, and contractors who have trusted access to the bank’s network and infrastructure.
- Use remote services to initially access and persist within a intended victim’s network.
Once they have successfully infiltrated a financial institution’s network, the hackers seek out non-internet facing SWIFT (Society for Worldwide Interbank Financial Telecommunications) terminals and the server hosting the institution’s ATM payment switch application.
Further credentials may be gathered by the hacking group through keylogging malware, theft of password databases, and other techniques.
As they traverse the network they learn more about the bank’s internal systems, deploying network proxy tunneling tools – which have been given the imaginative monikers of VIVACIOUSGIFT and ELECTRICFISH – to communicate between the internet and the switch application server or SWIFT terminal.
If a “FastCASH” attack against a bank’s ATM system was successful it would allow the BeagleBoyz and their cohorts to withdraw money easily from cash machines around the world, as just a few keypresses at each would cause a small fortune to be spat out.
In addition, US-CERT warns that it is not just traditional financial institutions which may find themselves targeted by the BeagleBoyz hacking group. Cryptocurrency exchanges are also in the criminals’ sights, with the hackers recognising that unlike traditional money transfers there is no possibility of money being clawed-back after an illicit movement of cryptocurrency funds.
US-CERT recommends that law enforcement agencies and the Treasury should be informed immediately if any financial institution believes it has seen evidence of activity by the BeagleBoys.
Furthermore, at-risk organisations are advised to take note of the published IOCs (Indicators of Compromise) and use intrusion detection systems to actively block and report suspected malicious activity.
Financial insitutions are also reminded to verify that their security is compliant with industry standards.
More details and advice can be found in the US-CERT advisory.