North Korean hackers are actively robbing banks around the world, US government warns

The BeagleBoyz have made off with nearly $2 billion since 2015, and they're back to attacking financial institutions after a short lull in activity.

Hacker using laptop

Image: Getty Images/iStockphoto

The BeagleBoyz, part of the North Korean government's hacking apparatus, are back to targeting banks around the world after a brief pause in activity. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert with details of how the BeagleBoyz have made off with an estimated $2 billion in fiat and cryptocurrency since 2015, along with details on how financial institutions can protect themselves against their known patterns of attack.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

Along with the theft of massive amounts of money that the United Nations believes is used for North Korea's nuclear weapons and ballistic missile programs, the robberies also pose a serious risk to financial institutions' reputations, their operations, and public confidence in banking, CISA said.

The BeagleBoyz aren't typical cybercriminals either: They conduct "well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities," CISA warns. "Over time, their operations have become increasingly complex and destructive. The tools and implants employed by this group are consistently complex and demonstrate a strong focus on effectiveness and operational security."

The group has used a variety of approaches to gaining initial access: Spear phishing, watering holes, social engineering, malicious files, and even contracted third-party hacking groups have been used for initial penetration.

Once inside a network, the BeagleBoyz have again used a wide variety of approaches to meet their objectives, establish a persistent presence, evade defense, and harvest credentials of privileged users. 

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)

CISA said that the BeagleBoyz appear to seek out two particular systems in a financial institution's network: It's SWIFT terminal and the server hosting the payment switch application for the bank. They map networks using locally-available administrative tools, deploy a constantly evolving list of command and control software, and ultimately try to make off with any possible money they can get their hands on via fraudulent ATM cashouts. 

"After gaining access to either one or both of these operationally critical systems, the BeagleBoyz monitor the systems to learn about their configurations and legitimate use patterns, and then they deploy bespoke tools to facilitate illicit monetization," CISA said. 

It isn't known if the BeagleBoyz have successfully targeted a US-based financial institution, and CISA's report suggests they've been active primarily in other parts of the world. That doesn't mean they won't attempt to break into a US-based bank: Everyone in the cybersecurity arm of the financial industry should be alert. 

Protecting against the BeagleBoyz

CISA makes the following mitigation suggestions based on particular industry:

All financial institutions:

Institutions with retail payment systems:

  • Require chip and PIN for all transactions

  • Isolate payment system infrastructure behind multiple authentication factors

  • Segment networks into separate, secure enclaves

  • Encrypt all data in transit

  • Monitor networks for anomalous behavior 

Institutions with ATMs or point-of-sale devices: 

  • Validate issuer responses to financial request messages

  • Implement chip and PIN for debit transactions

These suggestions come along with general good security habits such as enforcing strong password policies, keeping all systems up to date, disabling all unnecessary services on workstations, scanning documents and emails for potential malicious code, and staying up to date on the latest threats.

Also see