FireEye previously had attributed the cyberattacks on the SWIFT international interbank messaging system in various banks to a North Korean hacking group it calls TEMP.Hermit, which mostly had conducted cyber espionage attacks against energy and the defense sectors in South Korea and the US.
APT 38s main objectives, however, are financially motivated on behalf of the North Korean government. Since 2015, the hacking team has stolen hundreds of millions of dollars from at least five banks (including Bangladesh Bank and Banco de Chile) and has hacked into 16 organizations in 11 countries in Latin America and Europe, plus the US, for example, according to FireEye.
FireEye researchers say APT 38 stands apart with its specialized custom tools and focus on financial organization operations. APT 38 employs at least 39 toolsets and is known for its deep study of its targets, often remaining inside a targets network for long periods before making a move on its data.
On average, APT 38 spends 155 days in a compromised network. In one case, it sat quietly on a victims network for two years before making its move for money. APT 38 spends that time gathering credentials, mapping the network, and scanning systems for information and vulnerabilities.
When APT 38 began to pivot to the SWIFT servers in bank targets, it used a mix of homegrown and legitimate tools: In one case, they used sysmon to gather users and processes that have access to the SWIFT servers.
To transfer stolen funds, APT 38 uses its so-called DYEPACK malware for the fraudulent transactions, which mostly were performed in less conspicuous increments and sent to nations with lax money-laundering laws.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now