FireEye researchers have just released details on a new threat group dubbed APT38, held accountable for the attempted heist of approximately $1.1 billion dollars from financial institutions in different geographies.
Also believed to have close ties to the North Korean Regime and their illicit financially-motivated activities, the threat actor appears to differ from the activity of other infamously known groups such as Lazarus (aka Hidden Cobra) and TEMP.Reaper. The characteristics of the malicious tools being employed showed some similarities, leading to think the groups have access to the same developer or code repositories. On the other hand, operations, targets and TTPs proved to diverge over time.
At least 16 organizations have been targeted in 11 countries ever since the first operation was carried out in 2014. In particular, attacks to the SWIFT banking systems between 2016 and 2018 have been reportedly attributed to the APT38, including targets of the calibre of the Bangladesh Bank; Bancomext; and Banco de Chile. According to Fire Eye, additional heist attempts’ victims were financial governing bodies as well as media organizations within the financial sector. The heavy interest in the financial sector, explained FireEye in a detailed timeline, was likely the result of the economic sanctions that have been enacted against North Korea over the years.
The APT38 operation is believed to be a large-scale and well-thought operation. The attack lifecycle appears to be characterized by long term planning and external and internal reconnaissance activity, with ongoing access to the compromised victims’ systems. At least 26 non-public plus two public malware families have been attributed to the threat group. The compromise is then followed by the full destruction of any sort of evidence to evade detection once the money heist is completed.
FireEye has warned on the seriousness of the risk linked to the group, which remains active with operations likely to continue in the future with more sophisticated tactics to avoid detection.
Proficio Threat Intelligence Recommendations:
- Financial clients should consider implementing additional security steps for SWIFT transactions to avoid falling victims of an attack.
- Update IDS/IPS to take appropriate actions when triggering on the IOCs detailed in the report (IP address ranges).