Introducing APT38: North Korea’s Cyber Heist Outfit

Some financially motivated cyber-attacks previously attributed to the infamous Lazarus Group are actually the work of another North Korean state-sponsored threat group, according to FireEye.

The vendor’s latest report details the activities of APT38: a “large, prolific operation with extensive resources” that has already attempted to steal over $1bn from 16 organizations in at least 11 countries, many simultaneously.

Although the group may share personnel, code repositories and other resources with Lazarus and the TEMP.Hermit group, APT38’s TTPs are distinct and its aim is primarily to steal money for the hermit nation rather than carry out politically motivated espionage or destructive attacks, the report claimed.

Its attacks are notable for their lengthy, careful planning, custom-developed tools and willingness to destroy machines if it helps to thwart investigations, FireEye said.

The group spends on average 155 days inside a victim’s network, although it has been known to persist for nearly two years.

Attacks typically start with information gathering from targeted personnel and third party vendors, to understand how SWIFT transactions work, before initial compromise via watering hole attacks exploiting out-of-date Apache Struts2 installations.

Malware is then deployed to gather credentials and map network topology, before pivoting to the target’s SWIFT servers. Malware will then be deployed to insert fraudulent SWIFT transfers and alter transaction histories, before logs are deleted and disk-wiping malware is deployed.

“In addition to cyber operations, public reporting has detailed recruitment and cooperation of individuals in-country to support with the tail end of APT38’s thefts, including persons responsible for laundering funds and interacting with recipient banks of stolen funds. This adds to the complexity and necessary coordination amongst multiple components supporting APT38 operations,” concluded FireEye.

“Despite recent efforts to curtail their activity, APT38 remains active and dangerous to financial institutions worldwide. By conservative estimates, this actor has stolen over a hundred million dollars, which would be a major return on the likely investment necessary to orchestrate these operations. Furthermore, given the sheer scale of the thefts they attempt, and their penchant for destroying targeted networks, APT38 should be considered a serious risk to the sector.”

It's likely that a large part of that $100m came from the 2016 cyber-raid on Bangladesh Bank.

What’s Hot on Infosecurity Magazine?