The attacks aimed at financial institutions, FireEye estimates APT38 has stolen at least a hundred million dollars from banks worldwide.
APT38 appears to be a North Korea-linked group separate from the infamous Lazarus group, it has been active since at least 2014 and it has been observed targeting over 16 organizations across 11 countries.
The report attributed the string of attacks against the SWIFT banking system to the APT38, including the hack of Vietnam’s TP Bank in 2015, Bangladesh’s central bank in 2016, Taiwan’s Far Eastern International in 2017, Bancomext in Mexico in 2018, and Banco de Chile in 2018.
“APT38 is a financially motivated group linked to North Korean cyber espionage operators, renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware.” reads the report published by FireEye.
“Attribution to both the “Lazarus” group and TEMP.Hermit was made with varying levels of confidence primarily based on similarities in malware being leveraged in identified operations. Over time these malware similarities diverged, as did targeting, intended outcomes, and TTPs, almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship.”
According to FireEye, the APT38 was targeting banks worldwide to allows the North Korean government to obtain new cash bypassing sanctions imposed on Pyongyang by foreign states.
“Based on observed activity, we judge that APT38’s primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime. Increasingly heavy and pointed international sanctions have been levied on North Korea following the regime’s continued weapons development and testing.” continues the report.
“The pace of APT38 activity probably reflects increasingly desperate efforts to steal funds to pursue state interests, despite growing economic pressure on Pyongyang.”
Experts believe the activity of the group will continue in the future, likely adopting new sophisticated tactics to avoid detection.
“Based on the large scale of resources and vast network dedicated to compromising targets and stealing funds over the last few years, we believe APT38’s operations will continue in the future,” concludes FireEye.
“In particular, the number of SWIFT heists that have been ultimately thwarted in recent years coupled with growing awareness for security around the financial messaging system could drive APT38 to employ new tactics to obtain funds especially if North Korea’s access to currency continues to deteriorate.”
(Security Affairs – APT38, North Korea)