The hacking team uses various techniques to gain access to banks’ SWIFT terminals to enable wire fraud or their payment switch application servers to enable ATM cash-outs.
Four US agencies including the FBI and Treasury Department have issued a joint advisory warning of a North Korean state-sponsored hacking campaign designed to initiate fraudulent wire transfers and steal cash from ATMs around the world.
The hacking team – known as BeagleBoyz – has attempted to steal nearly USD 2 billion since at least 2015, and has manipulated critical computer systems at banks and other financial institutions, at times rendering them inoperable. The group is also able to tailor their techniques to different targets and to adapt their methods over time.
“The BeagleBoyz’s bank robberies pose severe operational risk for individual firms beyond reputational harm and financial loss from theft and recovery costs,” the joint advisory says.
The group is said to be responsible for the cyber-enabled ATM cash-out campaigns identified publicly as “FASTCash” in October 2018, fraudulent abuse of compromised bank operated SWIFT system endpoints, and cryptocurrency thefts.
The advisory details the various tools and techniques used by the BeagleBoyz to gain access to a financial institution’s network, learn the topology to discover key systems, and monetise their access.
“These findings are presented to highlight the group’s ability to tailor their techniques to different targets and to adapt their methods over time,” the advisory says, calling for ‘layered mitigations’ to effectively defend against the illicit activity.
The BeagleBoyz often seek access to financial institutions’ systems that have tiered user and system accounts with customized privileges, and use different techniques to avoid detection by OS security features, system and network security software, and system audits.
Once inside a financial institution’s network, the BeagleBoyz appear to seek two specific systems – the SWIFT terminal and the server hosting the institution’s payment switch application – in order to enable wire fraud and ATM cash-outs, the advisory says.
It offers recommendations to financial institutions to guard against the threat, including the use of multi-factor authentication for access to the payment switch application server, and firewalls to divide operating environments into enclaves.
The full advisory is available here.