Primer:
North Korea’s Foreign Ministry on Saturday called the United States a “mastermind of cybercrime” as it responded to a report detailing Pyongyang’s efforts to hack banks.
In an English-language statement posted on the ministry’s website, a spokesperson for the country’s “National Coordination Committee for Anti-Money Laundering and Countering the Financing of Terrorism” denied the regime’s link to any online criminal activities, claiming there was no truth to the “preposterous rumors” circulated by the United States.
The U.S. Treasury Department and three federal agencies including the FBI said in an alert issued Wednesday that hackers attempted to initiate fraudulent money transfers and ATM “cash-outs” from multiple countries that appeared to be part of the North’s “extensive, global cyber-enabled bank robbery scheme.” More here.
The BeagleBoyz have made off with nearly $2 billion since 2015, and they’re back to attacking financial institutions after a short lull in activity.
The BeagleBoyz, part of the North Korean government’s hacking apparatus, are back to targeting banks around the world after a brief pause in activity.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert with details of how the BeagleBoyz have made off with an estimated $2 billion in fiat and cryptocurrency since 2015, along with details on how financial institutions can protect themselves against their known patterns of attack.
Along with the theft of massive amounts of money that the United Nations believes is used for North Korea’s nuclear weapons and ballistic missile programs, the robberies also pose a serious risk to financial institutions’ reputations, their operations, and public confidence in banking, CISA said.
The BeagleBoyz aren’t typical cybercriminals either: They conduct “well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities,” CISA warns. “Over time, their operations have become increasingly complex and destructive. The tools and implants employed by this group are consistently complex and demonstrate a strong focus on effectiveness and operational security.”
The group has used a variety of approaches to gaining initial access: Spear phishing, watering holes, social engineering, malicious files, and even contracted third-party hacking groups have been used for initial penetration.
Once inside a network, the BeagleBoyz have again used a wide variety of approaches to meet their objectives, establish a persistent presence, evade defense, and harvest credentials of privileged users.
CISA said that the BeagleBoyz appear to seek out two particular systems in a financial institution’s network: It’s SWIFT terminal and the server hosting the payment switch application for the bank. They map networks using locally-available administrative tools, deploy a constantly evolving list of command and control software, and ultimately try to make off with any possible money they can get their hands on via fraudulent ATM cashouts.
“After gaining access to either one or both of these operationally critical systems, the BeagleBoyz monitor the systems to learn about their configurations and legitimate use patterns, and then they deploy bespoke tools to facilitate illicit monetization,” CISA said.
It isn’t known if the BeagleBoyz have successfully targeted a US-based financial institution, and CISA’s report suggests they’ve been active primarily in other parts of the world. That doesn’t mean they won’t attempt to break into a US-based bank: Everyone in the cybersecurity arm of the financial industry should be alert.
Protecting against the BeagleBoyz
CISA makes the following mitigation suggestions based on particular industry:
All financial institutions:
- Verify compliance with Federal Financial Institution Examination Council security handbooks
- Verify compliance with other industry security standards, like those from PCI and SWIFT.
Institutions with retail payment systems:
- Require chip and PIN for all transactions
- Isolate payment system infrastructure behind multiple authentication factors
- Segment networks into separate, secure enclaves
- Encrypt all data in transit
- Monitor networks for anomalous behavior
Institutions with ATMs or point-of-sale devices:
- Validate issuer responses to financial request messages
- Implement chip and PIN for debit transactions
These suggestions come along with general good security habits such as enforcing strong password policies, keeping all systems up to date, disabling all unnecessary services on workstations, scanning documents and emails for potential malicious code, and staying up to date on the latest threats.
Pingback: NK Hackers are Robbing Banks Around the World | NoisyRoom.net