Federal authorities warn North Korean hackers are targeting banks

A group of U.S. federal agencies on Wednesday issued an alert warning of North Korean cyber-enabled bank robbery schemes targeting financial institutions.

The Treasury Department, the FBI, U.S. Cyber Command, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned in the joint alert that a prolific North Korean hacking group known as “BeagleBoyz” had resumed targeting financial institutions. 

“Since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs,” the agencies wrote in the alert. “The recent resurgence follows a lull in bank targeting since late 2019.”

According to the agencies, BeagleBoyz has attempted to steal $2 billion since at least 2015, and in the process have “manipulated” or “rendered inoperable” computer systems at banks and other financial institutions in almost 40 countries. 

The agencies warned that BeagleBoyz has been using malware for a “FASTCash” scheme to target payment infrastructure at banks and servers that process financial transaction messages, with the scheme dating to 2016. The scheme enabled the group to intercept financial messages and respond with messages that enabled ATM payments. 

The group is affiliated with another North Korean hacking group, Lazarus, which was sanctioned by the Treasury Department last year for targeting critical infrastructure, with the agency describing the group at the time as a “controlled entity of the Government of North Korea.”

“North Korea’s widespread international bank robbery scheme that exploits critical banking systems may erode confidence in those systems and presents risks to financial institutions across the world,” the agencies wrote. 

North Korea is regarded as one of the most dangerous adversaries to the U.S. in cyberspace alongside Russia, China and Iran. According to the federal agencies, North Korean authorities use funds obtained through hacking operations to fund nuclear weapons and ballistic missile programs. 

Bryan Ware, the assistant director of cybersecurity at CISA, said in a statement on Wednesday that “North Korean cyber actors have demonstrated an imaginative knack for adjusting their tactics to exploit the financial sector as well as any other sector through illicit cyber operations.”

“CISA and our interagency partners work closely with industry to provide actionable, specific and timely cyber threat information, like today’s alert,” he added. “Our aim is to disrupt and defeat malicious cyber campaigns and help government and industry partners prioritize resources to highest risk to stay one-step ahead of adversaries.”