United States government agencies have warned the banking community to be on the lookout for a gang of North Korean cyber-thieves dubbed BeagleBoyz.
The gang is behind a cash-out scheme known as FASTCash that has stolen millions of dollars from banks around the world. The scheme involves using remote internet access to take over ATM machines and make them give up their cash.
A joint advisory describing the threat was issued yesterday by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI), and US Cyber Command (USCYBERCOM).
According to the advisory, the BeagleBoyz’ bank robberies pose severe operational risk for individual firms beyond financial loss from theft and recovery costs and reputational harm.
"The BeagleBoyz have attempted to steal nearly $2 billion since at least 2015, according to public estimates," states the advisory.
"Equally concerning, these malicious actors have manipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions."
In many cyber-attacks orchestrated by the BeagleBoyz, destructive anti-forensic tools have been sewn into the computer networks of victim institutions.
In 2018, the gang deployed wiper malware against a bank in Chile, crashing thousands of computers and servers. The attack was a later found to be a distraction designed to divert attention away from BeagleBoyz' attempts to send fraudulent messages from the bank’s compromised SWIFT terminal.
That same year, a bank in Africa that was attacked by the gang was left unable to restore normal ATM or point-of-sale services to its customers for nearly two months after suffering a cash-out attack.
BeagleBoyz has been running the FASTCash scheme since 2016. On some occasions, fraudulent ATM cash-outs have affected upward of 30 countries in a single incident, including the United States.
Erich Kron, security awareness advocate at KnowBe4, said that ATM cash-out schemes are often well organized and can include many accomplices around the world working together to make large withdrawals simultaneously.
"The use of phishing emails and LinkedIn connections demonstrates how the initial attacks are often done using low-tech social engineering schemes, then move into more high-tech techniques once in the network," said Kron.