FireEye, Inc., an independent intelligence-led security company, has published an investigative report highlighting recent activities of the North Korean state-sponsored cyber operations. Based on the intensive review of various offensive actors in the cyber domain, the report identifies a distinct, financially-motivated group, APT38. While APT38 appears to share certain developmental resources with a known North Korean cyber espionage activity, TEMP.Hermit, the group engages in more global operations with a highly specialized focus on the financial sector. As the report suggests, the group’s adoption of “a calculated approach, allowing them to sharpen their tactics, techniques, and procedures (TTPs)” not only furthers their development as an increasingly more complex and destructive cyber actor but also allows the group to evade detection.
The primary significance of APT38 lies in its connection with the North Korean regime, whereby the group aims to raise large sums of money by manipulating global financial systems and targeting multinational organizations in entertainment and defense infrastructure. According to the presented findings, the group is “strongly distinguishable because of its specific focus on financial institutions and operations that attempt to use SWIFT [Society for Worldwide Interbank Financial Telecommunications] fraud to steal millions of dollars at a time.” While North Korea has previously utilized illicit activity to support the state economy, including smuggling and drug trafficking, the regime’s primary focus is shifting towards the cyber domain.
The report includes a number of publicly reported cases attributed to APT38 activity, including and African bank in early 2016, that involved an attempted theft of approximately $100 million; a Southeast Asian bank coinciding with APT38’s attacks on a number of organizations in Southeast Asia in late 2015 and 2016; the Banco del Austro in Ecuador, targeted with fraudulent SWIFT transactions in 2015; and Cosmos Bank in India, infiltrated via both fraudulent ATM and SWIFT transactions in 2018.
Significantly, as the 2016 economic sanctions against North Korea drastically reduced the regime’s access to the international financial systems, the evidence suggests a direct link between these developments and the initial formulation of APT38’s core objectives. Furthermore, the additional 2017 sanctions “may have continued to influence the speed of APT38’s attempted heists.” The report includes a detailed timeline of all recorded activity by APT38. In addition, the report lists APT38’s preferred strategic and tactical approaches as well as the malware characteristics and relevant tools. Based on the observations of APT38’s activities, the report predicts that such operations will continue to develop and expand in the future.