APT38 Graphic

North Korea's 'Un-usual suspects'

A new emerging financially-motivated group that is an Advanced Persistent Threat (APT).

In our recent special report 'Un-usual Suspects', FireEye's intelligence takes a deep dive into the world of the financially motivated North Korean group APT38.

Responsible for destructive attacks against financial institutions, as well as some of the world's largest cyber heists, the group has attempted to steal in excess of $1.1 billion, a figure based on widely publicized operations alone and therefore likely falls short of the actual sums involved.

We usually categorize financially-motivated actors as FIN groups. However, because this particular group is backed by, and acts on behalf of, the North Korean regime, we have categorized it as an APT. This nomenclature also reflects the fact that the group’s activities are more akin to espionage: instead of simply obtaining accesses and moving to transfer funds as quickly as possible, APT38 conducts in-depth reconnaissance within compromised financial institutions balancing financially motivated objectives with learning about internal systems. We believe the group shares malware code and other development resources with a North Korean espionage group which we refer to as TEMP. Hermit.

Since at least 2014, the group has compromised more than 16 organizations in at least 13 different countries, sometimes simultaneously.

Bank Robbery

It is not just banks that are at risk from APT38, countries’ financial governing bodies and media organizations with a focus on the financial sector have also been targeted. The key objective is to manipulate inter-bank financial systems to raise large sums of money for the Pyongyang regime, which is suffering increasingly severe international sanctions following continued weapons development and testing. This is also almost certainly behind the scale of and acceleration in APT38 activity – North Korea is desperate to obtain funds to pursue state interests.

An APT38 cyber bank robbery

This view is backed by published reports from defectors providing details on cyber-focused military units being tasked to generate income for the regime by engaging in piracy, freelance programming and other activities.

APT38 operations have become increasingly complex and destructive, with the adoption of a calculated approach which allows the sharpening of tactics, techniques, and procedures (TTPs) over time whilst evading detection. Given the sheer scale of the thefts they attempt, and their penchant for destroying targeted networks, APT38 should be considered a serious threat to the financial sector.

Bank Robbery Graphic

Our report provides a detailed account of the characteristics and operational specifics of APT38’s extent of activities and modus operandi from initial compromise through internal reconnaissance, pivot to SWIFT servers, transfer of funds and destruction of evidence.

It throws light on the complexity of operations, including a toolset that includes at least 26 unique non-public and two publicly-available malware families with a variety of backdoors, disruptive tools, tunnelers and data miners, as well as the use of multiple evasion techniques such as modular malware and the use of false flags.