US government exposes North Korean government ATM cashout hacking campaign

Written by

The U.S. government called out North Korea on Wednesday over a government-led hacking campaign that has been focused on stealing cash from ATMs around the world.

The operation, run out of the North Korean government’s Reconnaissance General Bureau — through a hacking group the U.S. government refers to as Hidden Cobra — poses a “significant threat to financial institutions,” the Department of Defense, Department of Homeland Security, FBI, and U.S. Treasury said in a joint release.

The scheme comes as North Korea is under the crush of harsh international sanctions, which is forcing the country to find money through any means necessary. In exposing the campaign, the U.S. government says it aims to throttle those efforts.

“We know that North Korea uses cyber-enabled tactics and techniques to steal currency, which it would otherwise be denied under international sanctions,” the Pentagon’s Cyber Command Cyber National Mission Force Commander, Brig. Gen. Joe Hartman, said in a statement.

In addition to cutting off the regime from illicit funds, the U.S. government’s interest in exposing the regime’s hacking schemes is also meant to signal to Kim Jong-un that North Korea’s cyber-operations are not anonymous.

“The Cyber National Mission Force is laser-focused on the away game — we understand what our adversaries are doing, and we share this information with our partners to take action against them,” Hartman said.

The joint announcement follows a steady stream of U.S. government efforts to publicly ferret out North Korean government-linked hacking. The hacking group exposed Wednesday, which is also known as APT38 or Lazarus Group, has also recently been sending fake job postings in spearphishing attacks targeting the defense sector. Previous announcements from the U.S. government have also exposed financially-motivated hacking campaigns.

But despite the attention, North Korean hackers don’t seem deterred.

“If anybody thought that the public exposure of the group’s heists … was going to be some kind of deterrence or mitigation to these attack campaigns, they need to think again,” Vikram Thakur, a researcher at Symantec, told CyberScoop. “The fact that everybody has been out there for so many years calling out Lazarus Group and that has not made a dent in the attacks at all, speaks to the doubling down and continued backing of the regime to conduct these attacks.”

The hackers

The hacking group is a particular subset of the Hidden Cobra group, which the U.S. government is calling “BeagleBoyz.” That subset is estimated to have stolen $2 billion through hacking campaigns since 2015, including $81 million from the Bank of Bangladesh in 2016. It is also behind FASTCash ATM cashouts reported in October 2018.

The group has also proven to be adept at changing their techniques in recent years, posing a significant challenge for those tracking them, the U.S. government noted Wednesday.

“As opposed to typical cybercrime, the group likely conducts well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities,” the U.S. government said in the joint release. “The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection. Over time, their operations have become increasingly complex and destructive.”

In this particular hacking spree, hackers have leveraged a malicious file that is capable injecting itself into a remote Windows process that eventually helps the hackers target systems in banks designed to process ATM transactions. This allows them to withdraw more cash than is available in the machine, according to the government’s Malware Analysis Report.

The North Korean government hackers have used other malware: VIVACIOUSGIFT, a network proxy tool, and ECCENTRICBANDWAGON, a  tool used for espionage and reconnaissance, like key logging and gathering screen grabs.

In an effort to help private sector and system administrators protect against the North Korean government’s hacking campaigns, Hartman and Cyber Command will be sharing these malware samples on malware-sharing repository VirusTotal on Wednesday.

Disrupting North Korea: is it working?

BeagleBoyz has several overlaps with Lazarus Group, APT38, Stardust Chollima, and Bluenoroff, a group the Treasury Department sanctioned last year for its financial sector hacking.

But despite great international attention to their cyber-operations, their rap sheet is extensive; beyond Bangladesh, they have previously targeted financial entities in India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam, as well as the Society for Worldwide Interbank Financial Telecommunication (SWIFT) monetary transfer system, according to the U.S. government.

The group also likely has targets in Argentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Costa Rica, Ecuador, Ghana, Indonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mozambique, Nepal, Nicaragua, Nigeria, Panama, Peru, Singapore, South Africa, South Korea, Spain, Tanzania, Togo, Uganda, Uruguay, and Zambia, according to the U.S. government.

The U.S. government has made efforts to call out some of their toolsets before, like last year when it exposed another North Korean network proxy tunneling tool, called ELECTRICFISH. The government believes that exposure caused the North Koreans to abandon the tool.

“There has been a noticeable decline in ELECTRICFISH use following the U.S. Government’s disclosure of it in May 2019,” the U.S. government said in the joint release Wednesday.

In recent years, the BeagleBoyz may have also begun working with a set of Russian-speaking hackers known as TA505, to gain initial accesses to targets, which could be making tracking the North Korean hacking more difficult, the U.S. government assessed.

“The BeagleBoyz may also be working with or contracting out to criminal hacking groups, like TA505, for initial access development,” the joint release states. “The third party typically uses commodity malware to establish initial access on a victim’s network and then turns over the access to the BeagleBoyz for follow-on exploitation, which may not occur until months later.”