US warns of global bank heist campaign by North Korean hackers

Hackers are trying to rob banks across the globe as cash-strapped Pyongyang regime tries to fund its weapons.

Dustin Volz and Ian Talley

3 min read

11:12AMAugust 27, 2020.

Updated 11:44AMAugust 27, 2020

Dow Jones

North Korean leader Kim Jong-un celebrating the test-firing of a 'newly developed super-large multiple rocket launcher' at an undisclosed location in 2019. Picture: KCNA via KNS

Hackers tied to the North Korean government are trying to rob banks across the globe by draining ATMs and initiating fraudulent money transfers, in an effort by the cash-strapped Pyongyang regime to fund its nuclear weapons program, multiple federal government agencies warned Wednesday.

The campaign includes so-called spearphishing attacks — which use fraudulent email to infect a computer or persuade the victim to reveal a password or other information — and social engineering schemes. It has been under way since at least February and represents a resurgence of operations after an apparent lull in bank robberies by North Korea last year, the Federal Bureau of Investigation, Department of Homeland Security, U.S. Treasury Department and U.S. Cyber Command said in a joint statement.

The hackers have also aimed at retail payment infrastructures and interbank payment processors, the agencies said.

“North Korean cyber actors have demonstrated an imaginative knack for adjusting their tactics to exploit the financial sector as well as any other sector through illicit cyber operations,” Bryan Ware, assistant director for cybersecurity at the Department of Homeland Security, said in a statement.

Reaping billions

US and UN officials say North Korea’s cyber thefts are overseen by nation’s intelligence agency and reap billions of dollars, money that is used by the Kim Jong-un regime to preserve its dictatorial grip on power, fund its vast military and its weapons programs. That revenue has been critical in offsetting income from other activities lost in the wake of economywide UN sanctions.

This undated picture released from North Korea's official Korean Central News Agency (KCNA) on April 10, 2020 shows Kim Jong-un inspecting a drill of mortar sub-units of corps of the Korean People's Army at an undisclosed location. Picture: Supplied

The agencies attributed the campaign to a North Korean hacking team the U.S. government has named BeagleBoyz that specialises in robbing banks through remote internet access. The group has targeted financial institutions in India, Brazil, Indonesia, Spain, Turkey and several countries throughout Southeast Asia and Africa since 2015, the agencies said.

U.N. investigators say the complexity of the orchestrated ATM thefts across dozens of countries shows North Korea’s cyber capabilities have become dangerously sophisticated.

North Korea’s mission to the UN didn’t immediately respond to a request for comment, but officials have previously denied the country’s agents have hacked financial institutions.

As the November election nears, senior members of the Trump administration have argued that tensions have cooled with Pyongyang since Mr. Trump took office.

“The president lowered the temperature and, against all odds, got North Korean leadership to the table,” Secretary of State Mike Pompeo said in an unprecedented address to the Republican Party convention. He cited a pause in nuclear and long-range missile testing, and the release of Americans held captive in North Korea.

North Korea’s cyber-enabled bank-robbing campaigns have proven lucrative to the perpetrators and debilitating to the victims, the agencies said.

A man watches a television news broadcast showing file footage of a North Korean missile test, at a railway station in Seoul in April 2020. Picture: Jung Yeon-je/AFP

The agencies linked the BeagleBoyz group to the theft of $81 million from the Bank of Bangladesh in 2016, part of an attempted $1 billion heist disrupted by the Federal Reserve Bank of New York.

In 2018, hackers linked to North Korea stole more than $13 million from India’s Cosmos Bank by penetrating three layers of defence and then co-ordinating simultaneous withdrawals from 14,000 ATMs across 28 countries, according to UN officials.

US security officials say withdrawals like that require North Korea’s agents to join with local and international criminal organisations that get a cut of the booty for stationing people at the ATMs.

The hackers are believed to co-oridinate simultaneous TM withdrawals among their methods of attack. Picture: Supplied

ATM and retail point of sale services for an unidentified bank in Africa were down for two months in 2018 after an attempted theft. A bank in Chile was hit with a type of file-destroying malware that crashed thousands of computers and distracted from efforts by the hackers to send fraudulent financial transaction statements via the bank’s compromised SWIFT terminal, which is used by banks to securely send and receive money with each another.

BeagleBoyz is part of a broader umbrella of North Korean hacking activity known as Hidden Cobra, the alert said, and they overlap with another entity known as Lazarus, which industry and government analysts say was responsible for the 2018 campaign against Cosmos Bank.

Lazarus has been accused of stealing hundreds of millions of dollars in other operations and was also blamed for one of the world’s most devastating cyberattacks — the WannaCry virus — that hit hospitals, businesses and a host of other private sector and government entities in 2017.

Dow Jones