Among the nation-state threat actors, North Korean hackers are perhaps the most active in targeting private commercial interests in other countries for profit. A new warning from a collection of US government agencies indicates that they have really stepped up cyber attacks of this nature during the Covid-19 pandemic months, with a group that has been active since 2015 stealing tens of millions this year alone.
The BeagleBoyz group’s primary MO has been to focus on fraudulent cash-outs at ATM machines by hacking payment systems, but as of this year it has incorporated social engineering elements into its schemes.
North Korean hackers hit the world’s banks for billions
The new warning, which comes in the form of a substantial activity report, was issued by a tandem of US agencies including CISA, the US Treasury, US Cyber Command and the FBI.
BeagleBoyz first came to the attention of security researchers in 2015, but went into an extended lull around late 2018 before re-emerging in late 2019. US agencies have linked this team directly to the reclusive country’s intelligence service, indicating that these cyber attacks are meant to provide funding for the North Korean government. While the group appears to be a unique entity, its activities often overlap with other known North Korean hackers sponsored by the state such as Lazarus and Bluenoroff.
The report estimates that the North Korean hackers have attempted to steal at least $2 billion internationally since first being spotted in 2015. It points out that the costs are much higher than just the stolen funds, however, as the group often conducts cyber attacks that cause lasting damage to critical financial systems. Some banks have seen ATM services knocked out for weeks or even months after one of these attacks, as BeagleBoyz aggressively attempts to cover its tracks by deploying wiper malware and anti-forensic tools.
The North Korean hackers have hit banks in 38 countries to date, and some attacks have seen coordinated hits in as many as 30 of these at a time. The group seems to mostly avoid traditional high-profile targets in the United States and Europe, however, and has also left Russia and China alone. It instead focuses heavily on the Asia Pacific region, South America and southeastern Africa. It has made at least one incursion into the US, however, targeting some banks in the country during the SWIFT fraud scheme of 2016 that netted $81 million from the Bank of Bangladesh.
The group gains access to financial institution systems via spearphishing and watering hole attacks, but 2020 saw it introduce social engineering scams into the mix of cyber attacks. The North Korean hackers are now posting fake job applications on LinkedIn targeted at employees of organizations of interest, usually with a malicious document file introduced somewhere in the process.
Once they have a foothold in a target system, the North Korean hackers work patiently to escalate privileges until they can get access to the bank’s SWIFT terminal and the server that hosts the payment switch application. The group focuses on collecting credentials and installing exploits that allow for later fraudulent ATM cash-outs as well as wire fraud schemes. They have even targeted cryptocurrency exchanges, something that the group has gradually spent more effort on over time as it allows for the potential theft of hundreds of millions of dollars at once with very little means of being tracked.
Cyber attacks on banks becoming more serious
Forbes reports that though state-sponsored cyber attacks still account for only about 10% of this type of crime, these groups are becoming more sophisticated and persistent. One example of their expanding repertoire is to lead with a distributed denial of service (DDoS) attack as a feint, disrupting bank communications and tying up IT resources while the hackers sneak in the back door to execute money transfers.
The US warning comes packed with advice about dealing with the types of cyber attacks that the North Korean hackers are targeting banks with. The agencies advise retail financial outlets to adopt chip and PIN systems, and to adopt broader use of cryptograms in authorization messaging. Other suggestions include enabling multi-factor authentication for all user accounts that have access to application switch servers, ensuring all data-in-transit is encrypted, and segregating the local operating environment with a firewall system. This is in addition to a long list of general cybersecurity best practices to head off financial loss, such as keeping up with patches and implementing strong password policies.
Erich Kron, security awareness advocate at KnowBe4, adds: “Organizations should be especially prudent in the training of staff to not only spot, but also report suspected phishing emails and even odd contact requests via social media to the security team, allowing them to take measures to address potential attacks against other employees as well.”
Cybersecurity experts are also advising financial institutions to be prepared for something of a “natural DDoS” when economic stimulus and protection measures related to the Covid-19 pandemic kick in. An example is when the US Paycheck Protection Program began distributing money, which put a natural strain on banking services throughout the country comparable to cyber attacks designed to tax overall resources.