A new state-sponsored attack from North Korea is being seen as an effort by the cash-strapped dictatorship to raise funds by exploiting foreign banks.
Researchers with FireEye say that a new attack targeting banks, dubbed APT38*, is a billion-dollar money grab from a new group of North Korean actors separate from the infamous
Lazarus group.
According to FireEye, the APT38 group is apparently operating as a subset of a larger North Korean hacking operation known as TEMP.Hermit. The bank-focused group is now thought to be behind North Korean attacks including the 2016 Bank of Bangladesh heist and the 2018 Banco de Chile attack, incidents that had previously only been believed to have been TEMP.Hermit operations.
As a result, researchers have had to reassess their picture of North Korea's hacking operation, finding the entire operation to actually be the work of a number of increasingly specialised operations.
In the case of APT38, the operation consists of individuals that come from 16 different government organisations and operate in at least 11 different countries. The group specialises in extracting huge sums of cash from banks via the SWIFT transaction system, often using sophisticated attacking tools that had previously been reserved for attacks on governments for espionage operations.
"APT38 executes sophisticated bank heists typically featuring long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards," FireEye said.
Those nukes won't fund themselves
Why the use of such sophisticated and intricate operations just to attack banks? FireEye said it believed the political pressure and economic sanctions that have piled up against Pyongyang over the years have made the country go to great lengths to obtain new cash infusions.
Absent other ways to bring in funds, North Korea has now resorted to using its hacking resources to divert cash from other countries.
"Increasingly heavy and pointed international sanctions have been levied on North Korea following the regime's continued weapons development and testing," FireEye explained.
"The pace of APT38 activity probably reflects increasingly desperate efforts to steal funds to pursue state interests, despite growing economic pressure on Pyongyang."
The researchers don't expect the attacks to let up any time soon, either. Despite outreach efforts from the Trump administration and increased pressure by the US Department of Justice
to crack down on individual hackers, the APT38 group is showing no signs of letting up.
"Based on the large scale of resources and vast network dedicated to compromising targets and stealing funds over the last few years, we believe APT38’s operations will continue in the future," said FireEye.
"In particular, the number of SWIFT heists that have been ultimately thwarted in recent years coupled with growing awareness for security around the financial messaging system could drive APT38 to employ new tactics to obtain funds especially if North Korea’s access to currency continues to deteriorate." ®
* In infosec terms, an acronym for "advanced persistent threat" - a sustained attack by a team of bad actors on a network/s which remains undetected for a long period of time, sometimes years (usually well-funded, sometimes by a state, so the group can remain, er, "persistent").