North Korean hackers behind global bank heists online

Report says APT38 has netted 'hundreds of millions' of dollars for Pyongyang regime

WASHINGTON • An elite group of North Korean hackers has been identified as the source of a wave of cyber attacks on global banks that has netted "hundreds of millions" of dollars, security researchers said.

A report by the cyber security firm FireEye said yesterday that the newly identified group dubbed APT38 is distinct from but linked to other North Korean hacking operations, and has the mission of raising funds for the Pyongyang regime.

FireEye researchers said APT38 is one of several hacking cells within an umbrella group known as Lazarus, but with unique skills that have helped it carry out some of the world's largest cyberheists.

"They are a cyber criminal group with the skills of a cyber espionage campaign," said Ms Sandra Joyce, FireEye's vice-president of intelligence, in a briefing with journalists in Washington.

She said one of the characteristics of APT38 is that it takes several months, sometimes nearly two years, to penetrate and learn the workings of its targets before its attacks, which have sought to illegally transfer more than US$1 billion (S$1.4 billion) from victimised banks.

Once they succeed, she added, "they deploy destructive malware on their way out" to hide their traces.

The group has compromised more than 16 organisations in at least 11 different countries since at least 2014.

  • 16

    Number of organisations hacker group APT38 has compromised since at least 2014.


Some of the known attacks have targeted the Vietnam TP Bank in 2015, Bangladesh Bank in 2016, Far Eastern International Bank of Taiwan last year, and Bancomext of Mexico and Banco de Chile this year.

FireEye said there appears to be some sharing of resources between hacker groups in North Korea, including those involved in espionage.

Some of the information about APT38 was revealed in a US criminal complaint unsealed last month against Park Jin Hyok, charged in connection with the WannaCry ransomware outbreak and the attack on Sony Pictures.

But Park likely played only a peripheral role in APT38, which "has a focused mission to steal money to fund the North Korean regime", according to Ms Joyce.

The researchers said APT38 used extremely sophisticated techniques including "phishing" e-mails to gain access to credentials, and also used "watering holes", hijacked websites that appear normal but which contain malware that enable hackers to gather more data and access.

As part of the scheme, the hackers created fake identities within known non-governmental organisations or foundations to help move the stolen money, in some cases manipulating the global interbank transfer system known as Swift.



A version of this article appeared in the print edition of The Straits Times on October 04, 2018, with the headline 'N. Korean hackers behind global bank heists online'. Subscribe