skip to Main Content

APT38, the new North Korean group that targets financial organizations

APT38 is the last North Korean state-sponsored hackers group discovered by FireEye. It’s specialized in targeting financial organizations across the globe and has attempted to steal over $1 billion

There is a new North Korean group of state-sponsored hackers, APT38, that has attemped to steal over $1 billion from financial organizations across the globe. It has been discovered by the FireEye cyber security experts. APT38, since 2014, has conducted cyber attacks against at least 16 organizations across 11 countries. Instead of simply obtaining accesses and moving to transfer funds as quickly as possible, the group is believed to operate more similarly to an espionage operation, carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems. Moreover, APT38 shares malware code and other development resources with TEMP.Hermit North Korean cyber espionage activity, although “we consider APT38’s operations more global and highly specialized for targeting the financial sector,” FireEye explains. “Since the first observed activity, the group’s operations have become increasingly complex and destructive”.

The primary mission of APT38 is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for Pyongyang

Based on observed activity, FireEye judge that “APT38’s primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime.”, the company writes in a report. “Increasingly heavy and pointed international sanctions have been levied on North Korea following the regime’s continued weapons development and testing. The pace of APT38 activity probably reflects increasingly desperate efforts to steal funds to pursue state interests, despite growing economic pressure on Pyongyang. Since 2015, APT38 has attempted to steal hundreds of millions of dollars from financial institutions”. Some of the publicly reported attempted heists attributable to the state-sponsored hackers include the cyber attacks against Vietnam TP Bank (December 2015), Bangladesh Bank in (February2016), Far Eastern International Bank inTaiwan (October2017), Bancomext (January2018), and Banco de Chile (May2018).

The malicious actors use espionage techniques and around 26 custom malware families to carry out cyber attacks and avoid detections

Although APT38 is considered to be a financially motivated threat group, the North Korean state-sponsored hackers were observed using espionage techniques to carry out  cyber attacks. Instead of conducting smash and grab cyberheists, FireEye cyber security researchers found that on an average, APT38 remained on a victim’s network for at least 155 days. This suggests that the group invests significant time in researching its targets and maintaining persistence. Furthermore, the threat actor is believed to be using around 26 custom malware families to carry out cybercrime operations. Most of the malicious code used is modular in nature and variants such as DYEPACK and BLINDTOAD contain multiple and varied features – from encryption to the ability to bypass anti-virus programs. Finally, the Pyongyang hackers use multiple techniques to avoid detection, like passive and active backdoor malware variants such as NESTEGG and CHEESETRAY.

The FireEye report on the threat actor (file PDF)

Back To Top