Multiple American agencies, including the FBI and Department of the Treasury, warned on Wednesday that a hacking syndicate affiliated with North Korea is installing malware in ATMs around the world, stealing billions to fund the regime.
The syndicate in question — the Cybersecurity and Infrastructure Security Agency (CISA) explained in an alert issued alongside the FBI, Treasury, and U.S. Cyber Command — has “attempted to steal nearly $2 billion since at least 2015, according to public estimates,” the alert stated. Identifying the group as the “BeagleBoyz,” it noted that the hackers appear to install malware into global banking computer systems that allow them to access money out of ATMs.
The $2 billion estimate may mean that North Korea is generating far more money from cyber-crime in general, as the “BeagleBoyz” is believed to be a subsidiary of a much larger umbrella network of hackers. A year ago, the United Nations reportedly estimated that all North Korean cyber criminals had stolen at least $2 billion cumulatively, suggesting an escalation of activities in the past year.
“Fraudulent ATM cash outs have affected upwards of 30 countries in a single incident. The conspirators have withdrawn cash from ATM machines operated by various unwitting banks in multiple countries, including in the United States,” the agencies asserted, noting that some smaller banks have endured the total destruction of “critical computer systems” at the hands of the hackers.
“The BeagleBoyz selectively exploit victim computer systems after initially compromising a computer connected to a financial institution’s corporate network,” the U.S. agencies explained. “After gaining initial access to a financial institution’s corporate network, the BeagleBoyz are selective in which victim systems they further exploit. The BeagleBoyz use a variety of techniques to run their code on local and remote victim systems.”
“Since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs. The recent resurgence follows a lull in bank targeting since late 2019,” the security alert read. The agencies noted that the theft, in addition to its overt status as a crime, may violate United Nations sanction on North Korea over its illegal nuclear program, as the loot may be funding illegal military projects orchestrated from Pyongyang. The theft represents “substantial revenue for North Korea,’ the agencies claimed.
The “BeagleBoyz,” the alert added, were one of a sprawling network of such groups controlled by North Korean intelligence.
The U.S. government identified itself among the nations affected by the mass thefts. Also on the list are countries across the entire planet, including but not limited to Taiwan, Turkey, Pakistan, Argentina, Ghana, and India.
The agencies concluded that banks should give defense against North Korean hackers the “highest priority.”
“We know that North Korea uses cyber enabled tactics and techniques to steal currency, which it would otherwise be denied under international sanctions,” Brig. Gen. Joe Hartman, Cyber National Mission Force Commander, said in the official press release on the alert. “The Cyber National Mission Force is laser-focused on the away game — we understand what our adversaries are doing, and we share this information with our partners to take action against them.”
The South Korean news agency Yonhap noted on Thursday that American officials have repeatedly warned of illicit North Korean cyber-activity and estimated that the regime employs up to 6,000 individual hackers for its crimes. Officials do not believe all such hackers are based within North Korea.
U.S. and global cybersecurity authorities have for years tracked increased North Korean hacking activity by groups affiliated with the communist regime. The alert on Wednesday suggested that the line that divides “BeagleBoyz” from other hacking groups is blurred: “The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as: APT38 (FireEye), Bluenoroff (Kaspersky), Lazarus Group (ESTSecurity), and Stardust Chollima (CrowdStrike).”
Lazarus is among the most famous North Korean hacking collectives, generating significant publicity for a large cyber attack on Sony’s computer network in 2014 believed to be in retaliation for Sony’s movie studio releasing The Interview, a comedy mocking dictator Kim Jong-un. In 2017, a Google security researcher found evidence that Lazarus may have been involved in the “WannaCry” ransomware attack, which affected thousands of computers around the world. Unlike the ATM schemes, which use malware that simply secretly filter money to the hackers, “WannaCry” locked all the data on the affected computers and demanded their owners send money in exchange for their computers no longer being held hostage.
Also in 2017, the last year that Kim Jong-un approved a nuclear weapon test, the security firm FireEye warned that North Korean hackers appeared to be attempting to break into delicate computer systems controlling the U.S. power grid for “early-stage reconnaissance.” A cyber attack on a power grid could cause significant civilian unrest and damage similar to that of a natural disaster. FireEye noted that the hacking activities did not appear to be attempting any “imminent” attack, only to collect information that may one day be used for an attack.