North Korean hackers have revived an audacious scam to defraud the global banking industry of hundreds of millions of dollars, US cyber analysts have revealed.
New details of the multi-year campaign are disclosed in a joint advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), Treasury and FBI.
Since February, hackers working on behalf of the regime’s Reconnaissance General have stepped up efforts to exploit vulnerabilities in bank payment systems, in order to trigger fraudulent transfers and extract vast sums of cash from ATMs.
Through the scheme, which has been in operation since 2015, the ‘BeagleBoyz’ hackers have so far attempted to generate $2bn for the cash-strapped regime, which is feared by the United Nations to be using criminal revenues to fund its illegal nuclear weapons programme. One high-profile attack, targeting the Bank of Bangladesh in 2016, netted the group $81m alone.
CISA last reported on the scheme in October 2018, having identified malware that could intercept and approve financial requests by manipulating IBM’s AIX servers. Once the hackers had signed off the requests, they were able to seize the funds using “extensive ATM cashouts”, CISA said.
In the latest advisory, the cyber agency said it had seen “two particularly significant developments in the campaign: (1) the capability to conduct the FASTCash scheme against banks hosting their switch applications on Windows servers, and (2) an expansion of the FASTCash campaign to target interbank payment processors”. It described the Windows malware as “functionally equivalent” to that which targeted IBM’s servers.
Mandiant Threat Intelligence, which tracks North Korea’s financial scams, said it had previously seen HOPLIGHT, one of the exploits detailed in the CISA report, used by another North Korean hacking group. “The tool’s reported use in activity directly targeting banks highlights how financially-motivated North Korean operations share malware code and other development resources with cyber espionage groups sponsored by the regime.”
The attacks are believed to have targeted banks in nearly 40 countries, including South Korea, Japan, India, Spain, Mexico and Brazil, among others, but not the US or UK.
Bryan Ware, a senior cybersecurity official at the U.S. Homeland Security Department, said in a statement: “North Korean cyber actors have demonstrated an imaginative knack for adjusting their tactics to exploit the financial sector as well as any other sector through illicit cyber operations.”