North Korean cybertheft of $100-plus million attributed to APT38
Security researchers tracked an aggressive cybertheft campaign -- attributed to North Korean APT38 -- in which threat actors attempted to steal more than $1 billion and destroy all evidence along the way.
The SWIFT banking transaction system is at the center of another major cybertheft campaign. This time, the theft was attributed to an advanced persistent threat group alleged to be backed by the North Korean government.
FireEye analysts said they were able to uncover the activity of APT38 because of the recent U.S. indictment of North Korean hacker Park Jin Hyok. However, despite similarities in method and malware to Park's Lazarus Group advanced persistent threat, FireEye said considering APT38 separate from Lazarus "will provide defenders with a more focused understanding of the adversary and allow them to prioritize resources and enable defense."
In a report about the North Korean cybertheft campaign, FireEye detailed attacks by the group against "more than 16 organizations in at least 11 different countries -- sometimes simultaneously -- since at least 2014." The FireEye analysts included Nalani Fraser, manager of the advanced analysis team for FireEye Intelligence; Jacqueline O'Leary, senior threat intelligence analyst; Vincent Cannon, associate analyst; and Fred Plan, senior analyst.
The analysts described APT38 as being financially motivated and backed by the North Korean government, but unusual in its methodology.
"Instead of simply obtaining accesses and moving to transfer funds as quickly as possible, APT38 is believed to operate more similarly to an espionage operation, carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems," the analysts wrote in their report. "APT38 has adopted a calculated approach, allowing them to sharpen their tactics, techniques, and procedures over time while evading detection."
The analysts said the North Korean cybertheft campaigns were "characterized by long planning [and] extended periods of access to compromised victim environments." APT38 remained in victim networks for an average of 155 days and was found inhabiting one victim network for nearly two years.
According to the FireEye research, the threat actors targeted vendors with access to the SWIFT banking transaction system and attempted to steal a total of $1.1 billion, but put a conservative estimate of the group's successful attacks at more than $100 million.
Although APT38 used the SWIFT network to steal money, FireEye researchers were careful to note they never observed the malicious actors "breach the integrity of the SWIFT system itself."
Instead, the group used watering holes and unpatched Apache Struts 2 flaws to gain access to networks. They deployed malware to harvest credentials, insert fraudulent SWIFT transactions, alter transaction history and transfer funds to other banks.
FireEye analysts said the North Korean cybertheft campaign was also unique because APT38 was "not afraid to aggressively destroy evidence or victim networks as part of its operations." This destruction was an effort to avoid detection and to cover up money-laundering schemes.
According to FireEye, APT38 is still "active and dangerous to financial institutions worldwide."
Despite the evidence FireEye presented tying APT38 to North Korea, Ilia Kolochenko, CEO of High-Tech Bridge, based in Geneva, noted via email that "attribution remains a task of extreme complexity," adding that "cybercriminals use highly creative methodologies to frame innocent third-parties (including governments) and hide the true source of the attack.
"Modern cybercrime groups have access to skilled political scientists, legal and financial experts. They meticulously develop well-thought-out attack scenarios to hinder technical investigation, making reliable attribution virtually impossible," Kolochenko said. "Moreover, in light of today's global political tensions, people tend to quickly blame their rivals for large-scale cyberattacks before finishing an investigation. Thus, I would refrain from rapid conclusions, and rather concentrate on building sustainable cybersecurity defense, response and forensics capacities."