North Korea's 'BeagleBoyz' target banks with ATM cash-out attacks

The North Korean government is back with another bank theft scheme.

The U.S. Cyber Infrastructure and Security Agency (CISA), the Department of the Treasury, the FBI and U.S. Cyber Command issued a joint alert Wednesday regarding nation-state hackers tied to the North Korean government that are using newly-identified malware "as part of an ATM cash-out scheme." The U.S. Government refers to the scheme as "FastCash," and identified the group behind it as "BeagleBoyz," which is a part of a larger North Korean advanced persistent threat (APT) group known as Hidden Cobra, APT 38 and Lazarus Group.

According to Fortinet threat researcher Val Saengphaibul, who published a technical analysis of the malware identified in the alert, the alert adds a new layer to North Korean nation-state threats. "This is the first time that this group has been named. Prior attacks have been attributed to HIDDEN COBRA only, however, this is the first time the "BeagleBoyz" have been identified outside of [the government]."

Although BeagleBoyz has only been recently identified, the alert notes that the group has "likely" been active since 2014. Their operation is an international bank robbery ring that has likely targeted financial institutions across dozens of countries including Brazil, India, Japan, Mexico, Ghana, South Africa, Spain and others.

After gaining initial access to targeted financial institutions via means like spearfishing, social engineering and watering hole attacks, BeagleBoyz lure victims into downloading malware such as "FastCash," which targets AIX servers used by financial institutions. Once the malware is on an institution's servers, it can "intercept financial request messages and reply with fraudulent, but legitimate-looking, affirmative response messages to enable extensive ATM cash outs," the alert says.

The group's primary targets have included bank-operated SWIFT system endpoints and switch application servers for ATMs. While the BeagleBoyz have been conducting FastCash thefts since 2016, they have recently expanded beyond the switch applications and are now hacking "regional interbank payment processors," according to the alert.

Saengphaibul said CISA worked with the Cyber Threat Alliance (CTA) prior to the alert and "shared the samples ahead of the announcement with CTA partners to ensure that customers of CTA members were immediately protected in real time."

Since at least 2015, the BeagleBoyz have "attempted to steal nearly $2 billion," the alert says. In one 2016 incident, the group attempted to steal $1 billion from the Bank of Bangladesh; although the Federal Reserve Bank of New York stopped the theft in progress, BeagleBoyz still made off with $81 million.