North Korean hackers behind Swift attack worth of USD 100 mln

Friday 5 October 2018 11:29 CET | News

Researchers at FireEye have shared details about how a North Korean hacking team APT 38h has stolen more than USD 100 mln via fraudulent transfers through SWIFT.

FireEye previously had attributed the cyberattacks on the SWIFT international interbank messaging system in various banks to a North Korean hacking group it calls TEMP.Hermit, which mostly had conducted cyber espionage attacks against energy and the defense sectors in South Korea and the US.

APT 38s main objectives, however, are financially motivated on behalf of the North Korean government. Since 2015, the hacking team has stolen hundreds of millions of dollars from at least five banks (including Bangladesh Bank and Banco de Chile) and has hacked into 16 organizations in 11 countries in Latin America and Europe, plus the US, for example, according to FireEye.

FireEye researchers say APT 38 stands apart with its specialized custom tools and focus on financial organization operations. APT 38 employs at least 39 toolsets and is known for its deep study of its targets, often remaining inside a targets network for long periods before making a move on its data.

On average, APT 38 spends 155 days in a compromised network. In one case, it sat quietly on a victims network for two years before making its move for money. APT 38 spends that time gathering credentials, mapping the network, and scanning systems for information and vulnerabilities.

When APT 38 began to pivot to the SWIFT servers in bank targets, it used a mix of homegrown and legitimate tools: In one case, they used sysmon to gather users and processes that have access to the SWIFT servers.

To transfer stolen funds, APT 38 uses its so-called DYEPACK malware for the fraudulent transactions, which mostly were performed in less conspicuous increments and sent to nations with lax money-laundering laws.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: North Korea, SWIFT, cybercrime, APT 38h, FireEye, banking security
Countries: World