The Cybersecurity and Infrastructure Security Agency (CISA) and other US agencies have issued a warning about increases in bank e-thefts worldwide organized by a hacking group called "BeagleBoyz." Researchers believe this group has ties to the North Korean government. The BeagleBoyz group is a subset of the North Korean-backed hacking collective known as the Lazarus Group or Hidden Cobra. The report with details of how the BeagleBoyz have made off with an estimated $2 billion in funds and cryptocurrency since 2015, along with details on how financial institutions can protect themselves against their known patterns of attack. The subgroup, active since at least 2014, works to provide the government, which faces economic sanctions, with illicit funds, according to the joint alert. Along with the theft of massive amounts of money that the United Nations believes is used for North Korea's nuclear weapons and ballistic missile programs, the e-robberies also pose a serious risk to financial institutions' reputations, their operations, and public confidence in banking.
The security firm F-Secure reports that the Lazarus Group recently targeted an employee of a cryptocurrency exchange with a fake job offer to insert malware and steal virtual currency. The group has used a variety of approaches to gaining initial access: Spear phishing, watering holes, social engineering, malicious files, and even contracted third-party hacking groups have been used for initial penetration. Once inside a network, the BeagleBoyz use a wide variety of approaches to meet their objectives, establish a persistent presence, evade defense, and harvest credentials of privileged users.
In its latest campaign, this hacking group has used a variety of malicious tools and malware to target banks and other organizations. The threat actors typically use compromised remote access to gain an initial foothold in a network. Once the hackers have penetrated a network, they attempt to conduct an ATM cash-out scheme and use money mules to collect the funds. Additionally, the BeagleBoyz group conducts fraudulent money transfers through SWIFT the global money-transfer network.
The BeagleBoyz group is believed to be responsible for a series of attacks against banks since 2016 that CISA calls "FASTCash.” Researchers also believe the BeagleBoyz group played a role in the theft of $81 million from Bangladesh Bank in 2016.
"As opposed to typical cybercrime, the group likely conducts well-planned, disciplined and methodical cyber operations more akin to careful espionage activities," according to the joint alert from the US agencies. "Their malicious cyber operations have netted hundreds of millions of US dollars and are likely a major source of funding for the North Korean regime. The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection."
VMware says that North Korean hackers have learned much of their craft from their Russian counterparts and have grown more sophisticated over the years. "They are truly formidable as they are the benefactors of tech transfer from the Russian dark web forums. It is imperative that the financial sector recognize that they have true situational awareness per the unique interdependencies of the sector and are willing to leverage counter incident response and destructive attacks to burn the evidence."
A VMware report indicates a BeagleBoyz hacking attempt typically starts with a spear-phishing email that targets specific bank employees. Or the hacking group uses a watering hole attack, which involves compromising legitimate websites and installing malware to target site visitors.
In the latest series of attacks, the BeagleBoyz group is also deploying social engineering techniques, such as fake job offers that target employees. The joint advisory notes: "Toward the end of 2018 through 2019 and in early 2020, the BeagleBoyz demonstrated the use of social engineering tactics by carrying out job application themed phishing attacks using publicly available malicious files."
This hacking group relies on other cybercriminal groups, such as TA505, to help gain the initial access into systems using commodity malware. Once a system gets compromised, the other group then hands overs access to BeagleBoyz for exploitation. To gain a foothold within a targeted network, the hackers use a number of techniques, including emailing malicious attachments that contain malware; exploiting weakness, bugs, and vulnerabilities in internet-facing systems; stealing credentials of a specific user or service account; and breaching third-party organizations that have access to the primary target's network, according to the alert.
The hacking group also deploys its own malware throughout compromised devices and networks. This includes trojans, such as Hoplight, identified in 2019. The malware comprises several proxy applications that are part of a "phone home" operation run by the hackers. The trojan can disguise the traffic that is sent back to its command-and-control server, the alert notes.
Malware such as Hoplight and another variant called CrowdedFlouder work with the hacking group's command-and-control infrastructure to assist with the exfiltration of data, which includes compressing and encrypting files to evade detection.
Red Sky Alliance can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org