US Agencies Warn of Uptick in North Korean Bank Heists'BeagleBoyz' Hacking Group Uses Remote Access Tools
The Cybersecurity and Infrastructure Security Agency and other U.S. agencies have issued a warning about increases in bank heists worldwide spearheaded by a hacking group called "BeagleBoyz," which has ties to the North Korean government.
The BeagleBoyz group is a subset of the North Korean-backed hacking collective known as the Lazarus Group or Hidden Cobra. The subgroup, active since at least 2014, works to provide the government, which faces economic sanctions, with illicit funds, according to the joint alert.
The security firm F-Secure reports that the Lazarus Group recently targeted an employee of a cryptocurrency exchange with a fake job offer in order to plant malware and steal virtual currency.
Since February, the BeagleBoyz group has targeted banks and other financial institutions in nearly 30 countries across the world, including the U.S., and attempted to steal about $2 billion in cash and cryptocurrency, according to U.S. Cyber Command, which issued Wednesday's alert along with CISA, the FBI and the Department of Treasury. The exact amount of money stolen is unclear.
North Korean gov't #cyber actors are targeting banks in 30+ countries in an ongoing cyber-enabled bank robbery scheme, attempting to steal $2B. @CISAgov @USTreasury @FBI and rest of US gov't stands against this bad behavior w/ partners & allies. Read more: https://t.co/Zvgc1YlE0e pic.twitter.com/FP8YzB4ztm— U.S. Cyber Command (@US_CYBERCOM) August 26, 2020
In its latest campaign, the hacking group has used a variety of malicious tools and malware to target banks and other organizations. The threat actors typically use compromised remote access to gain an initial foothold in a network, U.S. authorities say.
In most cases, once the hackers have penetrated a network, they attempt to conduct an ATM cash-out scheme and use money mules to collect the funds. In addition, the BeagleBoyz group conducts fraudulent money transfers through SWIFT - the global money-transfer network, according to the alert.
A History of Fraud
The BeagleBoyz group is believed to be responsible for a series of attacks against banks since 2016 that CISA calls "FASTCash" (see: Lazarus 'FASTCash' Bank Hackers Wield AIX Trojan).
CISA and the other agencies also believe the BeagleBoyz group played a role in the theft of $81 million from Bangladesh Bank in 2016 (see: SWIFT Warns Banks: Coordinated Malware Attacks Underway).
"As opposed to typical cybercrime, the group likely conducts well-planned, disciplined and methodical cyber operations more akin to careful espionage activities," according to the joint alert from the U.S. agencies. "Their malicious cyber operations have netted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime. The group has always used a calculated approach, which allows them to sharpen their tactics, techniques and procedures while evading detection."
Tom Kellermann, the head of cybersecurity strategy at VMware who served as a cybersecurity adviser to former President Barack Obama, notes that North Korean hackers have learned much of their craft from their Russian counterparts and have grown more sophisticated over the years (see: Modern Bank Heists 3.0: 'A Hostage Situation').
"They are truly formidable as they are the benefactors of tech transfer from the Russian dark web forums," Kellerman tells Information Security Media Group. "It is imperative that the financial sector recognize that they have true situational awareness per the unique interdependencies of the sector and are willing to leverage counter incident response and destructive attacks to burn the evidence."
The alert notes that a BeagleBoyz hacking attempt typically starts with a spear-phishing email that targets specific bank employees. Or the hacking group uses a watering hole attack, which involves compromising legitimate websites and installing malware to target site visitors.
In the latest series of attacks, the BeagleBoyz group is also deploying social engineering techniques, such as fake job offers that target employees. The joint advisory notes: "Toward the end of 2018 through 2019 and in early 2020, the BeagleBoyz demonstrated the use of social engineering tactics by carrying out job application themed phishing attacks using ... publicly available malicious files."
In addition, the hacking group relies on other cybercriminal groups, such as TA505, to help gain initial access into systems using commodity malware. Once a system gets compromised, the other group then hands overs access to BeagleBoyz for exploitation, according to the alert.
To gain a foothold within a targeted network, the hackers use a number of techniques, including emailing malicious attachments that contain malware; exploiting weakness, bugs and vulnerabilities in internet-facing systems; stealing credentials of a specific user or service account; and breaching third-party organizations that have access to the primary target's network, according to the alert.
The hacking group also deploys its own malware throughout compromised devices and networks. This includes Trojans, such as Hoplight, which CISA identified in 2019. The malware comprises several proxy applications that are part of a "phone home" operation run by the hackers. The Trojan can disguise the traffic that is sent back to its command-and-control server, the alert notes.
Malware such as Hoplight and another variant called CrowdedFlouder work with the hacking group's command-and-control infrastructure to assist with the exfiltration of data, which includes compressing and encrypting files to evade detection, U.S. authorities say.