According to warnings issued by multiple government agencies in the US, hackers in North Korea, operating under the name ‘BeagleBoyz’, have been conducting a series of attacks employing remote access solutions to steal what amounts to millions from banks around the world.

The joint statement issued recently by the agencies states the hacker outfit has resumed its activities stealing from international banks via remote access to the internet in order to supply funds to North Korea.

Threats uncovered by combined analysis

The details included in the shared information provided by the US Government comprise data collected and uncovered by security analysts at the Federal Bureau of Investigation, the Department of the Treasury, the US Cyber Command and the Cybersecurity and Infrastructure Security Agency.

The government advisory commented:

“Since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs. The recent resurgence follows a lull in bank targeting since late 2019.”

The governmental warning added that in one of the BeagleBoyz attacks, involving an ATM cash-out tactic, they were able to withdraw cash from ATM devices employed by various banks in several different countries, one of which being the USA.

A Twitter post from US-based Cyber Command also stated the BeagleBoyz are now targeting over 30 different nations in a largescale theft with the aim of stealing approximately $2 billion.

The hacker group also targets victims in the banking sector, using SWIFT scams that employ the dedicated systems and services of unwitting financial institutions. An example of this form of attack was the strike made in 2016 on the Bank of Bangladesh, where $81 million was stolen. Fortunately, New York’s Federal Reserve bank managed to put a stop to the transfer before the remainder of what could have been a theft of $1 billion was completed.

Methods and motives

The North Korean BeagleBoyz are also behind the complex cash-out campaigns that made headlines as “FASTCash” attacks in 2018. They have been identified as working for the nation’s governmental office known as the ‘Reconnaissance General Bureau’, and are believed to have been operating since around 2014, stealing funds for the regime of North Korea.

The hacker outfit’s activity has been associated with multiple other threat gangs tracked by international cyber security companies Kaspersky and FireEye, including cybercriminal groups APT38, Bluenoroff and the Lazarus Group.

Commenting on hacker’s methods, the government agencies stated:

“The BeagleBoyz use a variety of tools and techniques to gain access to a financial institution’s network, learn the topology to discover key systems, and monetize their access. In addition to robbing traditional financial institutions, the BeagleBoyz target cryptocurrency exchanges to steal large amounts of cryptocurrency, sometimes valued at hundreds of millions of dollars per incident.”

Cryptocurrency can offer threat actors an attractive option for theft, as it provides an irreversible process and an untraceable commodity that can be changed into flat currency. Additionally, cryptocurrency transfers are not equipped with claw-back recall mechanisms in place for recouping stolen funds.