Elite North Korean superhackers outed as global bank attackers
Washington — An elite group of North Korean hackers has been identified as the source of a wave of cyberattacks on global banks that has netted "hundreds of millions" of dollars, security researchers said on Wednesday.
A report by the cybersecurity firm FireEye said the newly identified group dubbed APT38 is distinct from, but linked to, other North Korean hacking operations, and has the mission of raising funds for the Pyongyang regime.
FireEye researchers said APT38 is one of several hacking cells within an umbrella group known as "Lazarus", but with unique skills and tools that have helped it carry out some of the world’s largest cyber heists.
"They are a cyber criminal group with the skills of a cyber espionage campaign," said Sandra Joyce, FireEye’s vice-president of intelligence.
Joyce said one of the characteristics of APT38 is that it takes several months, sometimes nearly two years, to penetrate and learn the workings of its targets before it attacks. It has sought to illegally transfer more than $1bn from victimised banks. "They take their time to learn the intricacies of the organisation," she said.
Once it succeeds, Joyce added, "they deploy destructive malware on their way out" to hide its traces. FireEye decided to go public about the threat because the group appears to still be operating and is "undeterred by any diplomatic efforts", she said.
The group has compromised more than 16 organisations in at least 11 countries since at least 2014, according to the FireEye report. Some of the known attacks include the Vietnam TP Bank in 2015, Bangladesh Bank in 2016, Far Eastern Inter-national Bank of Taiwan in 2017 and Bancomext of Mexico and Banco de Chile in 2018.
Joyce said the group appears to have "the scope and resources of a nation-state" but offered no specific figures on how many people it uses.
Nalani Fraser, a member of the FireEye research team, said APT38 attacks sought at least $1.1bn since 2014 and have managed to steal "hundreds of millions of dollars based on data that we can confirm".
FireEye said there appears to be some sharing of resources among hacker groups in North Korea, including those involved in espionage.
Some of the information about APT38 was revealed in a US criminal complaint unsealed last month against Park Jin-hyok, charged in connection with the WannaCry ransomware outbreak and the attack on Sony Pictures.
But Park is likely to have played only a peripheral role in APT38, which "has a focused mission to steal money to fund the North Korean regime," according to Joyce.
The researchers said APT38 used extremely sophisticated techniques including "phishing" e-mails to gain access to credentials and using "watering holes" — hijacked websites that appear normal but which contain malware that enable hackers to gather data and access.
As part of the scheme, the hackers created fake identities within known NGOs or foundations to help move the stolen money, in some cases manipulating the global interbank transfer system SWIFT.