Skip to main content




Identity of North Korea-backed hacker group stealing millions from global banks unveiled

FireEye says research on APT38 shows hacker group to be a financially motivated one that has tried to steal more than US$1.1 billion since starting in 2014.

Identity of North Korea-backed hacker group stealing millions from global banks unveiled

Staff monitor the spread of the WannaCry ransomware cyberattack from the Korea Internet and Security Agency (KISA) in Seoul. (Photo: AFP)

WASHINGTON DC, United States: Cybersecurity vendor FireEye on Wednesday (Oct 3) published an in-depth report on a new North Korea-backed hacker group - APT38 - that is financially motivated and which has successfully managed to steal “hundreds of millions” from banking institutions worldwide.

The report, released during a conference in Washington, said APT38 has compromised more than 16 organisations in at least 11 different countries, sometimes simultaneously, since at least 2014 and has tried to steal more than US$1.1 billion. 

These organisations include Vietnam’s Tien Phong Bank (TPBank), the Bangladesh central bank and Taiwan’s Far Eastern International Bank. The report also mentioned that Malaysia was targeted.

Malaysia’s central bank had in March this year said it foiled a cyberattack in which fraudulent messages to transfer funds were sent on the SWIFT messaging platform. 

The group’s primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime, FireEye said. 

READ: SWIFT warns banks on cyber heists as hack sophistication grows

Some of its known characteristics include long planning, extended periods of access to the victims’ compromised systems for reconnaissance before the actual heist and efforts to thwart investigations, including a willingness to completely destroy compromised machines afterwards, it said. 

Elaborating, Ms Sandra Joyce, vice president and head of Global Intelligence at FireEye, said during a media briefing ahead of the report's launch that APT38 would spend on average 155 days in its victims’ networks. In one instance, it stayed unnoticed for almost two years, she added.

As for covering their tracks, Ms Joyce said the group had once made 10,000 workstations and servers “completely inoperable”.

“(APT38) conducts bank heists like criminals but with the skill of an espionage operation,” she added. 


On linking the group with raising money for North Korea, FireEye said the increasingly heavy and targeted international sanctions on the country correlate with the hackers’ activities.

“The pace of APT38 activity probably reflects increasingly desperate efforts to steal funds to pursue state interests, despite growing economic pressure on Pyongyang,” it said.

Backing this observation, a timeline in its report said the group’s first known operation took place in February 2014, almost a year after the UN Security Council imposed financial sanctions on North Korea for conducting its third nuclear test. 

The sanctions enacted in 2016 further curtailed the country’s access to both funds and the international financial system, and these in a single year “likely increased pressure for North Korea to come up with funds quickly as evinced by their attempted heist in February 2016 (involving the Bangladesh central bank) only two months after a foiled attempt in December 2015 (attempted heist on TPBank)”.


So, why is FireEye revealing specific details on APT38 now?

Ms Joyce said previous reports on North Korea’s hacking lumped financial, espionage and disruptive activities into the umbrella term of “Lazarus”. Lazarus is the North Korea-sponsored cyber unit also known as Hidden Cobra, and it has been blamed for attacks like last year’s WannaCry ransomware and those on Sony Pictures in 2014. 

The intention to carve APT38 out as a separate entity was to provide “specificity” on how the group conducts its attacks and how financial institutions need to take a more proactive stance with the details illustrated in the report, she said. 

For instance, the company said APT38 is distinct from another group it identified earlier in February this year - APT37 (Reaper). 

READ: North Korea hacker group expands scope to include Japan, Vietnam targets, says FireEye

It said while APT37 has previously targeted the financial sector, it does not focus specifically on stealing money as APT38 does.

Ms Joyce also said from its investigations, there is a “live and ongoing threat” to financial institutions worldwide.

The report said based on the large scale of resources and vast network dedicated to compromising targets and stealing funds over the last few years, APT38’s activities will likely continue. 

Asked by Channel NewsAsia if the group is targeting a certain region in the world, and if Asia and Southeast Asia are primary targets, the executive said: “(Its focus is) not in one specific area in particular.”

FireEye did say those in the banking sector should prepare for new attack techniques. 

“The number of SWIFT heists that have been ultimately thwarted in recent years coupled with growing awareness for security around the financial messaging system could drive APT38 to employ new tactics to obtain funds, especially if North Korea’s access to currency continues to deteriorate,” it said. 

Source: CNA/kk


Also worth reading