loader gif

North Korean hacker group APT38 stole over $100 million from banks across the globe

North Korea, North Korean Flag, National Flag, Flag, No People, Color Image
  • APT38 is a financially motivated group that has attempted to steal over $1 billion from financial organizations across the globe.
  • The group shares several similarities with the North Korean cyberespionage group TEMP.Hermit.

A new North Korean threat actor group’s nefarious activities have just come to light. Dubbed APT38, the hacker group is financially motivated yet conducts attacks using cyberespionage techniques. Since 2014, the group has attacked at least 16 organizations across 11 countries and attempted to steal over $1 billion.

APT38 shares several similarities, such as similar malware code and development resources, with the North Korean cyberespionage group TEMP.Hermit. The group orchestrated sophisticated cyberheists, generally targeting global banks.

“Since the first observed activity, the group's operations have become increasingly complex and destructive. APT38 has adopted a calculated approach, allowing them to sharpen their tactics, techniques, and procedures (TTPs) over time while evading detection,” FireEye researchers said in a report.

APT38’s targets

According to FireEye researchers, APT38’s furor of attacks is likely galvanized by the increasing number of economic and political sanctions imposed on Pyongyang. Since 2015, the group has targeted the Vietnam TP Bank, the Bangladesh Bank, the Far Eastern International Bank, the Bancomext and the Banco de Chile.

“A recent criminal complaint, unsealed on Sept. 6, 2018, by the U.S. Department of Justice (DOJ) detailing links between APT38, additional TEMP.Hermit activity, and the North Korean regime, named an African bank that appears to have been targeted in early 2016,” FireEye researchers said. “The bank was allegedly targeted with the NESTEGG backdoor and involved an attempted theft of approximately $100 million. This compromise overlaps with APT38's use of NESTEGG and the general timing of APT38 operations in early 2016.”

Modus operandi

Although APT38 is considered to be a financially motivated threat group, the hackers were observed using espionage techniques to carry out attacks. Instead of conducting smash and grab cyberheists, FireEye researchers found that on an average, APT38 remained on a victim’s network for at least 155 days. This suggests that the group invests significant time in researching its targets and maintaining persistence.

“APT38 relies on DYEPACK, a SWIFT transaction-hijacking framework, to initiate transactions, steal money, and hide any evidence of the fraudulent transactions from the victimized bank. The group uses DYEPACK to manipulate the SWIFT transaction records and hide evidence of the malicious transactions, so bank personnel are none the wiser when they review recent transactions,” FireEye researchers said.

Malware and detection evasion

APT38 is believed to be using around 26 custom malware families to carry out attacks. Msot of the malware used by the threat group is modular in nature. Malware variants such as DYEPACK and BLINDTOAD contain multiple and varied features - from encryption to the ability to bypass anti-virus programs.

The North Korean hacker group uses multiple techniques to avoid detection. The group uses passive and active backdoor malware variants such as NESTEGG and CHEESETRAY.

“Malware overlaps between APT38 and TEMP.Hermit highlight the shared development resources accessible by multiple operational groups linked to North Korean state-sponsored activity,” FireEye researchers said. “Although these are disparate operations against different targets and rely on distinct TTPs, the malware tools being used either overlap or exhibit shared characteristics indicating a shared developer or access to the same code repositories. Although APT38 is distinct from other TEMP.Hermit activity, both groups operate consistently within the interests of the North Korean state.”

APT38 a serious threat

Until recently, many of the attacks now attributed to APT38 were believed to have been conducted by either Lazarus or TEMP.Hermit. This blurring of the lines suggests APT38’s ability to remain well hidden while simultaneously conducting sophisticate heists against high-profile targets.The group’s evolution since 2014 and its continual attacks hint that APT38 may likely power through attempted detections and continue carrying out attacks.

“Despite recent efforts to curtail their activity, APT38 remains active and dangerous to financial institutions worldwide,” FireEye researchers said. “By conservative estimates, this actor has stolen over a hundred million dollars, which would be a major return on the likely investment necessary to orchestrate these operations. Furthermore, given the sheer scale of the thefts they attempt, and their penchant for destroying targeted networks, APT38 should be considered a serious risk to the sector.”

loader gif