U.S. Warns of Global Bank Heist Campaign by North Korean Hackers
Hackers tied to the North Korean government are trying to rob banks across the globe by draining ATMs and initiating fraudulent money transfers, in an effort by the cash-strapped Pyongyang regime to fund its nuclear weapons program, multiple federal government agencies warned Wednesday.
The campaign includes so-called spearphishing attacks—which use fraudulent email to infect a computer or persuade the victim to reveal a password or other information—and social engineering schemes. It has been under way since at least February and represents a resurgence of operations after an apparent lull in bank robberies by North Korea last year, the Federal Bureau of Investigation, Department of Homeland Security,U.S. Treasury Department and U.S. Cyber Command said in a joint statement.
The hackers have also aimed at retail payment infrastructures and interbank payment processors, the agencies said.
“North Korean cyber actors have demonstrated an imaginative knack for adjusting their tactics to exploit the financial sector as well as any other sector through illicit cyber operations,” Bryan Ware, assistant director for cybersecurity at the Department of Homeland Security, said in a statement.
U.S. and U.N. officials say North Korea’s cyber thefts are overseen by nation’s intelligence agency and reap billions of dollars, money that is used by the Kim Jong Un regime to preserve its dictatorial grip on power, fund its vast military and its weapons programs. That revenue has been critical in offsetting income from other activities lost in the wake of economywide U.N. sanctions.
The agencies attributed the campaign to a North Korean hacking team the U.S. government has named BeagleBoyz that specializes in robbing banks through remote internet access. The group has targeted financial institutions in India, Brazil, Indonesia, Spain, Turkey and several countries throughout Southeast Asia and Africa since 2015, the agencies said.
U.N. investigators say the complexity of the orchestrated ATM thefts across dozens of countries shows North Korea’s cyber capabilities have become dangerously sophisticated.
North Korea’s mission to the U.N. didn’t immediately respond to a request for comment, but officials have previously denied the country’s agents have hacked financial institutions.
As the November election nears, senior members of the Trump administration have argued that tensions have cooled with Pyongyang since Mr. Trump took office.
“The president lowered the temperature and, against all odds, got North Korean leadership to the table,” Secretary of State Mike Pompeo said in an unprecedented address to the Republican Party convention. He cited a pause in nuclear and long-range missile testing, and the release of Americans held captive in North Korea.
North Korea’s cyber-enabled bank-robbing campaigns have proven lucrative to the perpetrators and debilitating to the victims, the agencies said.
The agencies linked the BeagleBoyz group to the theft of $81 million from the Bank of Bangladesh in 2016, part of an attempted $1 billion heist disrupted by the Federal Reserve Bank of New York.
In 2018, hackers linked to North Korea stole more than $13 million from India’s Cosmos Bank by penetrating three layers of defense and then coordinating simultaneous withdrawals from 14,000 ATMs across 28 countries, according to U.N. officials.
U.S. security officials say withdrawals like that require North Korea’s agents to join with local and international criminal organizations that get a cut of the booty for stationing people at the ATMs.
ATM and retail point of sale services for an unidentified bank in Africa were down for two months in 2018 after an attempted theft. A bank in Chile was hit with a type of file-destroying malware that crashed thousands of computers and distracted from efforts by the hackers to send fraudulent financial transaction statements via the bank’s compromised SWIFT terminal, which is used by banks to securely send and receive money with each another.
BeagleBoyz is part of a broader umbrella of North Korean hacking activity known as Hidden Cobra, the alert said, and they overlap with another entity known as Lazarus, which industry and government analysts say was responsible for the 2018 campaign against Cosmos Bank.
Lazarus has been accused of stealing hundreds of millions of dollars in other operations and was also blamed for one of the world’s most devastating cyberattacks—the WannaCry virus—that hit hospitals, businesses and a host of other private sector and government entities in 2017.
The U.S. Treasury late last year blacklisted the group as part of an interagency effort to expose North Korea’s cyber activities and disrupt its operations.
Photo: North Korean leader Kim Jong Un is said to be observing a test of a tactical weapon in this photo released in March by the country’s news agency. - PHOTO: KCNA/YONHAP NEWS/NEWSCOM/ZUMA PRESS