Since February 2020, North Korean state-sponsored hackers have been targeting banks in multiple countries, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM) warn in a joint advisory. Hackers
Active since at least 2014, and referred to as BeagleBoyz, the hacking group is responsible for numerous attacks on financial institutions worldwide, such as the $81 million heist from a Bangladeshi bank, the FASTCash ATM cash-out scheme, and attacks on cryptocurrency exchanges.
BeagleBoyz, the advisory notes, represents a subset of HIDDEN COBRA, the cyber-activity the United States associates with North Korea hackers, and is also known as Lazarus, APT38, Bluenoroff, and Stardust Chollima.
Since 2015, the group has been abusing compromised bank-operated SWIFT system endpoints and has attempted to steal an estimated $2 billion to date.
“The BeagleBoyz’s bank robberies pose severe operational risk for individual firms beyond reputational harm and financial loss from theft and recovery costs. […] Equally concerning, these malicious actors have manipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions,” the joint advisory reads.
The US notes that the BeagleBoyz often leave anti-forensic tools on the computer networks of victim institutions, that they deployed a wiper against a bank in Chile in 2018, and also warns that the hackers’ ability to “exploit critical banking systems may erode confidence in those systems and presents risks to financial institutions across the world.”
The hackers performed fraudulent ATM withdrawals in multiple countries, including the United States, affecting over 30 countries in total.
Since the FASTCash scheme was publicly detailed in October 2018, the hackers have updated their capability to perform the attacks. They have developed malware for the targeting of switch applications on Windows servers, and also expanded the campaign to target interbank payment processors.
Following initial intrusion, the hackers selectively exploit systems within the compromised environment, and employ a variety of methods to run code, maintain access to the compromised systems, leverage privileges, and evade defenses.
Once inside the network of a financial institution, the adversaries look for the SWIFT terminal and for the server where the organization’s payment switch application is stored. They also map out the network to learn about the available systems and move laterally, and perform reconnaissance and administration operations.
The BeagleBoyz use a variety of malware in their attacks, including the CROWDEDFLOUNDER and HOPLIGHT remote access Trojans (RATs), which allow for remote access and data exfiltration, ECCENTRICBANDWAGON for keylogging, and the VIVACIOUSGIFT and ELECTRICFISH network proxy tunneling tools.
In attacks on cryptocurrency exchanges, the hacking group prefers the COPPERHEDGE full-featured RAT, which allows them to run arbitrary commands, perform information harvesting, or exfiltrate data, the U.S. agencies said.
After gaining access to SWIFT terminals and switch application servers, the threat actor monitors the system to gain knowledge of configurations and legitimate use patterns, and then performs illicit transactions that allow for fraudulent ATM cash outs.
The FASTCash malware, which can intercept financial request messages and inject fraudulent messages, is used in these attacks against both UNIX and Windows machines. The Windows variant reveals the use of modified publicly available code for the hashmaps and hook functions and the parsing of ISO 8583 messages.
FASTCash for Windows, the advisory reveals, was designed to inject itself into running software and take control of send and receive functions, to manipulate ISO 8583 messages. Two variants of the malware were observed, supporting ASCII encoding and Extended Binary Coded Decimal Interchange Code (EBCIDC) encoding, respectively.
The U.S. provides full technical details on both FASTCash and FASTCash for Windows, and has included in the joint advisory various recommendations for financial institutions and other organizations looking to keep their systems protected from the BeagleBoyz group.