A global North Korean ATM cash-out scheme used to rob banks has intensified in 2020, according to the FBI, which along with the Department of Treasury, the Cybersecurity and Infrastructure Agency (CISA) and U.S. Cyber Command, recently issued a joint cyber alert.
U.S. government agencies have “identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme.”
The FBI calls the group responsible the “BeagleBoyz.” The ATM cash-out scheme itself is called “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks” by the U.S. government.
BeagleBoyz is a part of the Reconnaissance General Bureau, which the Department of Treasury describes as “North Korea’s primary intelligence organization.”
Since 2015, BeagleBoyz has targeted over 30 nations, according to the joint cyber alert.
Krebson Security described how the ATM cash-out process works: “Crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.”
Krebson Security also reported that the FBI sent out a confidential alert to banks in August warning of an “unlimited operation.”
Krebson said that cybercrime gangs who put together coordinated unlimited attacks usually phish or hack into a payment card processor or bank and remove fraud controls that limit how much a customer can withdraw and how many transactions they can make daily, then they launch the ATM cashout.
“Since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs,” said the FBI. “The recent resurgence follows a lull in bank targeting since late 2019.”
Although the public report did not clearly state whether the U.S. specifically is being affected by the BeagleBoyz in 2020, Theresa Payton, a former White House CIO for George W. Bush and current CEO of a cybersecurity firm, believes that U.S. banks have been impacted.
“If it’s North Korea and you see the Department of Treasury and Department of Justice are involved, then some U.S. banking interests have been impacted in some form or fashion.”
Payton also pointed out the globally-interconnected nature of the banking industry, using the Bank of America, which has offices in multiple countries–for example China and Europe–to illustrate her point.
The cyber alert listed two new developments in the FASTCash scheme, which came to light since October of 2018, that the cyber alert labeled as “particularly significant.”
Payton explained that BeagleBoyz have learned how to intercept transactions between banks that use Windows servers and then reroute the transactions into North Korea’s hands.
“It would almost be like a digital mailman realizes there’s a really attractive, you know kind of a high value package and they change the address just slightly to deliver it to themselves,” Payton elaborated.
“They’re actually hidden in the system, waiting for a transaction and routing it somewhere else.”
The alert also mentioned another new strategy of the BeagleBoyz: job applications.
The group has acted as other jobs employees may want to apply to then gather information through the job applications. In short, a phishing attack, Payton explained.
According to the cyber alert, such attacks started late 2018, went on through 2019, and occurred in early 2020.
BeagleBoyz are also attacking with a different style then they have in the past. Payton described it as more destructive. In the past the group would rob and then move on, but now the BeagleBoyz trash the systems until they’re useless.
“It’s like they’re digitally torching the systems,” she said.
Payton said the first publicly known instance of this style of attack happened about two years ago.
“Whether they are successful or not, they are often doing some tactic that disrupts operations,” she added.
North Korea’s advancement in cyberattacks has been evident in recent years, with the United States claiming it is connected to the nation’s response to financial sanctions.
According to a document detailing the United States of America vs 280 Virtual Currency Accounts case, a panel of experts was chosen by the United Nations Security Council “to investigate compliance with sanctions against North Korea.”
In the panel’s August 2019 report, it “noted how the North Korean government has ‘used cyberspace to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income’.”
The panel reported that North Korea used such methods to get around financial sanctions.
In response to the joint alert, North Korea denied involvement, accusing the U.S. of being hypocritical, reported the Korea JoongAng Daily.
How Banks Can Be Proactive
Payton says that if she were a CIO or CISO at a financial institution anywhere around the world, “… I would actually use this as my step-by-step checklist to go through all of the systems and platforms and processes.”
In terms of being proactive in staying on top of advancing cyber threats, Payton has three pieces of advice for banks:
- Don’t be afraid to call the FBI if you spot a potential issue. They won’t run to the press*
- Make an incident response playbook, incorporating scenarios nation-states could use to rob your bank.
- Authenticate machine-to-machine transactions. This includes hand-offs, your encryption and password authentication.