North Korea’s APT38 behind bank heists

North Korean-linked hacking group APT38 has stolen hundreds of millions of dollars in bank heists spanning across at least 11 countries, security researchers at FireEye reported.

Background

North Korean hackers, backed by Pyongyang, have been tied to a wide range of cyber attacks and cyber espionage operations over the years that have caused huge disruptions, stolen millions of dollars, or siphoned off valuable intelligence.

North Korea was accused of carrying out the devastating hack on Sony Pictures Entertainment in 2014. The Sony attack was believed to be in retaliation to the company’s planned Christmas Day release of the “The Interview”, a comedy that surrounds the assassination North Korean leader Kim Jong Un. The widespread WannaCry ransomware attacks that infected hundreds of thousands of computers in 150 nations and crippled parts of Britain’s National Health Service (NHS) in May 2017 has also been linked to North Korean hackers. Numerous attacks in South Korea, including the recent hacking of South Korean bitcoin exchange Youbit in December 2017 have been linked to North Korea as well.

In September, the US Justice Department charged alleged North Korean operative Park Jin-hyok over the Sony hack, the WannaCry ransomware attack and the $81 million heist of Bangladesh’s central bank among other devastating attacks.

Security experts have reported hacking groups backed by North Korea’s authoritarian government are continually targeting financial institutions, cryptocurrency-related organizations, and other organizations of interest in an attempt to generate revenue and gather intelligence for the isolated, sanction-strapped country.

Analysis

Security firm FireEye has identified APT38, a North Korean hacking collective backed by the state that is believed to be responsible for operations across over 16 organizations in at least 11 countries. Researchers have noted that the group’s operations are distinct from that of other North Korea-linked outfits such as the more well-known Lazarus Group and TEMP, that are more focused on political cyber-espionage. APT38, by comparison, seems to be primarily focused on cyberheists targeting banks and financial institutions.

However, security researchers have identified several overlapping characteristics and techniques between the three groups including the malware tools used in identified campaigns.

Since at least 2014, APT38 has attempted to steal more than $1.1 billion from financial institutions. According to FireEye’s conservative estimates, the threat actor has likely stolen over a hundred million dollars through its operations. The group’s operations initially targeted financial firms in Southeast Asia before eventually expanding into other regions such as Latin America and Africa before moving further into Europe and North America.

According to FireEye, APT38 is characterized by “long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards.”

Institutions targeted by APT38 include Vietnam TP Bank in December 2015, Bangladesh Bank in February 2016, the Far Eastern International Bank in Taiwan in October 2017, Bancomext in January 2018 and Banco de Chile in May 2018.

The US Department of Homeland Security (DHS) has warned that Hidden Cobra, the federal government’s name for North Korea-linked hacking campaigns, have been using malware to withdraw tens of millions of dollars from ATMs in Africa and Asia over the past two years. Hackers have been incorporating knowledge of International Standards Organization (ISO) 8583 in campaigns to leverage configured, legitimate scripts on compromised switch application servers, to intercept financial request messages and insert fraudulent transactions. The uptake in attacks targeting the Society for Worldwide Interbank Financial Telecommunication or SWIFT system – which is used to transfer money between banks across the globe - has raised concerns that threat actors are becoming more proficient at exploiting systems that underpin the global financial system.

FireEye researchers believe APT38’s operations are likely to continue in the future. The spate of major cyber heists involving SWIFT in recent years has prompted greater awareness and security measures to safeguard the financial messaging system against compromise. However, researchers believe the group will eventually employ new tactics to steal funds.

Assessment

We assess that North Korean linked hackers, the use of sophisticated cyber attacks and targeted digital offensives by the Hermit Kingdom are likely to increase despite positive steps taken in diplomatic efforts by the United States and the international community. We believe that the North Korean authoritarian government and state-backed attackers are likely to look to malicious cyberactivity to generate revenue in the face of dwindling state revenues and continued imposition of tough sanctions.