After Brief Pause, North Korea Resumes Cyberthefts Against Global Banks and ATMs

By Daniel Bethencourt

North Korean government-sponsored hackers are still draining millions of dollars from banks and ATMs across the world in a cybertheft campaign that benefits the country’s leadership, a U.S. interagency group has found.

In an 18-page advisory, the FBI, Treasury Department and two cybersecurity agencies claim that in February, “North Korea’s intelligence apparatus” ordered a team of hackers—which  U.S. officials have dubbed the “BeagleBoyz”—to resume attacking and stealing cash from ATMs worldwide as part of a strategy that began in earnest in 2015 before petering out late-last year.

Wednesday’s advisory links the BeagleBoyz to the Lazarus Group, a North Korean organization that reportedly hacked into ATMs in several countries and stole $81 million from the Bank of Bangladesh by programming the lender’s portal with the Society for Worldwide Interbank Financial Telecommunications, or SWIFT, to send out fraudulent payment instructions.

Like the Lazarus Group, the BeagleBoyz have stolen hundreds of millions of dollars from ATMs in more than 30 countries and likely represent “a major source of funding for the North Korean regime,” U.S. officials wrote Wednesday.

Attacks attributed to the BeagleBoyz have caused disruptions well beyond a single machine.

“In 2018, a bank in Africa could not resume normal ATM or point of sale services for its customers for almost two months,” U.S. officials claimed Wednesday. An attack against a Chilean lender that same year “crashed thousands of computers and servers to distract from efforts to send fraudulent messages from the bank’s compromised SWIFT terminal.”

The group has withdrawn cash from ATMs in “various unwitting banks in multiple countries, including in the United States,” according to the advisory, but the U.S. was not listed alongside 38 others that have been targeted since 2015, including several in Latin America, Southern and East Africa and East Asia.

The advisory suggests that North Korean actors have scaled up and professionalized a typology that has historically relied on a complicit employee and a larger network of conspirators to hack into and rob a bank’s ATMs, said Steve Santorelli, a former computer-crime director at Scotland Yard.

Previous schemes used “a ‘use once and discard’ network of typically vulnerable, cash-strapped humans with low technical skill in whom the … mastermind has zero trust,” said Santorelli, now director of intelligence at Team Cymru, a cybersecurity firm in Florida. “So it [was] expensive to milk these ATMs in the relatively short time of the jackpotting stage of a heist.”

At least 35 North Korean hacks have triggered investigations, including in the Philippines, where the $81 million stolen from the Bank of Bangladesh in February 2016 via SWIFT transited into accounts at RCBC, a Manila-based lender, before moving into the country’s lightly regulated casino industry.

According to U.S. officials, North Korean hackers often infiltrate banks by conducting spear-phishing campaigns against their employees and luring them to malicious websites known as “watering holes.” They have also farmed out the task of initial entry to other organizations.

They then sometimes wait months to “selectively exploit victim computer systems” by identifying those that connect to crucial payment infrastructure.

“The U.S. government has observed the BeagleBoyz successfully monetizing illicit access to financial institutions’ SWIFT terminals to enable wire fraud and gain access to the institutions’ payment-switch application servers, which allowed fraudulent ATM cash outs,” officials wrote Wednesday.

The BeagleBoyz are only one incarnation of a years-long, state-sponsored cybertheft campaign that has already elicited previous notices from the same U.S. agencies, and, according to U.N. estimates, generated up to $2 billion for North Korea’s government.

An advisory published in October 2018 identified North Korea as the culprit of a series of ATM cash-out schemes that targeted banks in Africa and Asia.

More than two years earlier, in May 2016, U.S. officials privately warned banks in a memo obtained by ACAMS that the infiltration of the Bank of Bangladesh’s SWIFT portal earlier that year could be repeated against other institutions for financial gain, or even modified to “conduct destructive network attacks” against the global financial system.

Wednesday’s advisory recommends that banks follow the cybersecurity principles promulgated by the Federal Financial Institutions Examination Council, or FFIEC.

That U.S. officials re-emphasized those long-standing guidelines—which touch on concepts such as “segmenting” access within a network and updating cybersecurity protocols—suggests that compliance still varies from institution to institution, said Jed Davis, a former federal prosecutor in Brooklyn.

“One of the things that sticks out in this report is that bad guys are finding some way to roll into the systems,” said Davis, now an independent attorney in New York. “There are plenty of institutions that are reasonably sophisticated [in business] but poor in security.”

Other institutions have built robust cybersecurity systems over the past decade, leading some cyberthieves to target institutions with vulnerable systems to either “steal from those enterprises or coopt counterparties as platforms from which to steal from banks.”

Contact Daniel Bethencourt at

Topics : Anti-money laundering , Sanctions , Info. Security/Cybercrime , Cryptocurrencies
Source: U.S.: Department of Treasury , U.S.: Law Enforcement
Document Date: August 27, 2020