5 Things To Know About New North Korean-Backed Hackers APT38

Here's a look at five things that make the North Korean regime-backed cyber espionage group APT38 such an insidious threat to banks and financial institutions around the globe.


Getting To Know APT38

APT38 is an active threat to financial institutions all around the world due to methods and technologies being deployed by the North Korean regime-backed group, according to Sandra Joyce, VP and head of global intelligence operations for Milpitas, Calif.-based FireEye.

"This is a very insidious group," Joyce said at the FireEye Cyber Defense Summit in Washington D.C. "They will destroy networks and steal millions and millions of dollars."

Instead of simply obtaining access to financial institutions and moving to transfer funds as quickly as possible, APT38 operates more like an espionage operation, conducting reconnaissance within compromised financial institutions to learn about their internal systems. The group has compromised more than 16 organizations in at least 11 different countries since beginning to focus on banks in 2014.

Sponsored post

Here's a look at five things that make APT38 so dangerous.

5. Their Motivations Are Different Than Other North Korean Hackers

A recent criminal complaint by the U.S. Department of Justice unsealed last month that detailed links between APT38 and the North Korean regime resulted in numerous references to Lazarus, the North Korean group linked to the WannaCry ransomware attack and the 2014 attack against Sony Pictures Entertainment for the movie The Interview.

But although APT38 shares some development resources and North Korean sponsorship with Lazarus and related group TEMP.Hermit, Joyce said it has a very distinct and focused mission. Specifically, Joyce said APT38 is focused on stealing money and conducting bank heists to fund the North Korean regime.

Defenders need to be more specific to proactively hunt for relevant threats in their environment, Joyce said. Referencing APT38 specifically rather than umbrella terms like Lazarus provides greater clarity about what's going on, Joyce said, ensuring that financial institutions that share the threat profile of APT38's target put appropriate protections in place.

4. Their Actions Aren't Connected To Diplomatic Efforts

APT38's behavior is undeterred by any diplomatic efforts, Joyce said, with the group continuing to act before, during and after attempts at diplomacy by the United States or the international community. Their primary mission, Joyce said, is to steal money for the North Korean regime in response to the pressure of economic sanctions that have been depriving the nation's government of funds.

The group creates accounts under fictitious names, Joyce said, and then approaches their target through legitimate NGOs or other organizations in good standing. In essence, Joyce said APT38 conducts bank heists like criminals, except they use espionage techniques.

"They have the scope and scale of a nation-state," Joyce said. "This is a coordinated effort. There is a lot of thought, process and programs being put in place."

3. They Remain In The Victim's Network For 155 Days On Average

The dwell time APT38 has in the victim's network gives the group an interesting and unique perspective, Joyce said.

On average, Joyce said APT38 spends 155 days persisting in the victim's network before deploying the malware and stealing the money, and once remained within a compromised system for 678 days (nearly two years). APT38 takes their time to learn the intricacies of the processes of the targeted organization in an effort to essentially be a nation-state cyber espionage group that steals money, according to Joyce.

APT38 is able to move extensive amounts of resources and conduct multiple global intrusions simultaneously, Joyce said. In fact, FireEye once saw nine banks and financial institutions being affected by APT38 at the same time.

2. They Will Deploy Destructive Malware On Their Way Out

Once APT38 has stolen money and is attempting to move the funds in the international financial system, Joyce said the group will deploy destructive malware.

Doing so not only allows APT38 to cover its tracks, Joyce said, but also helps with distracting defenders, complicating the incident response process, and gaining time to get out the door.

"The use of destructive malware is what makes this urgent for customers," Joyce said. "It is a completely brazen way to burn the house down once they've stolen what they've stolen."

1. They Have Attempted To Steal More Than $1.1B

APT38 is a cybercriminal group with the skills and technology of an espionage campaign, Joyce said, which has allowed them to carry out some of the world's largest financial thefts.

Specifically, Joyce said combining FireEye's observations with public reporting on APT38 indicates that the group has attempted to steal $1.1 billion since it began targeting banks and financial institutions in 2014.

The amount of damage APT38 inflicts on victims is massive, Joyce said, with FireEye observing one instance where an organization had 10,000 of its servers and workstations rendered completely inoperable. In another case, Joyce said the victim organization suffered an outage to its telephone service and other essential services.