A team of FireEye researchers has detailed the cyber machinations of APT38, a group of North Korea-linked hackers focusing on financial crime and responsible for stealing millions of dollars using highly destructive malware.
The team of Nalani Fraser, Jaqueline O’Leary, Vincent Cannon and Frederick Plan said they were able to identify and separate APT38 from the many other North Korean-based cybergangs now operating, although the researchers noted APT38’s methodology does overlap to some extent with the well-known Lazarus Group and TEMP.Hermit. However, the latter two have cyberespionage as their goal with APT38 falling into the John Dillinger criminal segment acting primarily as bank robbers.
“APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions, as well as some of the world's largest cyber heists. Based on widely publicized operations alone, the group has attempted to steal more than $1.1 billion,” the report stated.
FireEye further connected APT38 to the North Korean regime “based on a combination of technical indicators linking the activity to Pyongyang and details released by DOJ implicating North Korean national Park Jin Hyok in a criminal conspiracy. We assess with high confidence that these activities were directed and sponsored by the North Korean government.”
The money is needed to bridge a shortfall in income created by the massive international sanctions that have been levied against North Korea for its nuclear weapon development activities. The report pinpoints financial sanctions implemented in March 2013 that blocked bulk cash transfers and restricted North Korea's access to the international banking system as being a primary impetus behind APT38’s formation and leading to its first attacks that were documented the following year.
FireEye believes APT38 has been operating since 2014 conducting at least 16 operations in 11 countries. Attacks in separate countries have happened at the same time which FireEye has interpreted as meaning the group is large and well-funded. The actual number of victims may be larger, but due to the nature of the attacks not every compromised organization has come forward.
Sanctions that were added in 2016 and 2017 may have encouraged the group to expedite its attacks in order to generate more funds for the North Korean Regime.
Other characteristics include:
- Having a long planning period
- Gaining long-term access to their victims before there is any attempt to steal money.
- Observed compromises lasting between 155 days and two year
- Fluency across mixed operating system environments.
- The use of custom developed tools.
- Exhibits a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterward.
The group’s willingness to destroy its victims is likely part of its attempt to hide its tracks post-attack, but also to provide cover for money laundering operations.
Some of APT38’s targets include an unnamed South African Bank where the group tried to steal $100 million using the NESTEGG backdoor, Banco del Austro in Ecuador was hit with fraudulent SWIFT transactions and Cosmos Bank in India was targeted with fraudulent SWIFT and ATM transactions.
However, the group has not limited itself to striking financial institutions to include using watering at cryptocurrency focused media organizations, financial news outlets and a financial transaction exchange. These attacks were likely conducted to find information that could be used in future bank heists, FireEye reported.
Overall, APT38 has hit targets in every region around the world.
The report concluded that not even the public exposure of their actions or the recent warming of relations between the United States, South Korea and North Korea has hinder APT38’s operations.
“Furthermore, the timing of recent APT38 operations provides some indication that even diplomatic re-engagement will not motivate North Korea to rein in its illicit financially-motivated activities. Based on the large scale of resources and vast network dedicated to compromising targets and stealing funds over the last few years, we believe APT38’s operations will continue in the future,” the researchers said.