Rewterz Threat Advisory – North Korean state-funded APT38 launches financially motivated attacks worldwide

Thursday, October 4, 2018

FireEye has released a report covering most bank espionages and SWIFT attacks launched by APT38 from North Korea.






PUBLISH DATE: 04-Oct-2018






A recent FireEye report covers various activities of threat actors from North Korea, tracked as APT38. APT38 seems to have been operating since 2014 and has targeted financial institutions stealing at least a $100 million from banks worldwide.



There are numerous SWIFT banking systems that have been targeted, including the hack of Vietnam’s TP Bank in 2015, Bangladesh’s central bank in 2016, Taiwan’s Far Eastern International in 2017, Bancomext in Mexico in 2018, and Banco de Chile in 2018. FireEye seems to believe that it was UN economic sanctions levied against North Korea after a suite of nuclear tests carried out in 2013 that led to the rise of this state-funded hacker group.



The attacks are aimed at currency acquisition since the North Korean state is facing multiple sanctions imposed on them.






  • February 2014 – APT38 launches its first known operation
  • December 2015 – Attempted heist at TPBank
  • January 2016 – APT38 multiple international banks attacked by ATP38 consecutively
  • February 2016 – Attack on Bangladesh Bank (intrusion via SWIFT inter-banking system)
  • October 2016 – APT38 watering hole attacks orchestrated on government and media sites reported
  • March 2017 – SWIFT bans access for all North Korean banks under UN sanctions
  • September 2017 – Chinese banks restrict financial activities of North Korean individuals and entities
  • October 2017 – Heist at Far Eastern International Bank in Taiwan (ATM cash-out scheme)
  • January 2018 – Bancomext in Mexico under attempted attack
  • May 2018 – Banco de Chile gets attacked






FireEye estimates a targeted heist of over $1.1 billion by the APT38. However, roughly $100 million could be stolen.



FireEye experts wrote in their report. “The group has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, necessary permissions, and system technologies to achieve its goals.”



The group stands out due to the excessive care and precaution it takes while attacking its target. Massive evaluation of target systems is carried out before the heists are launched. To ensure perfection in the attacking techniques, the group may remain dormant for months while working on the attack strategies.





The most striking thing about the group is that they don’t leave evidence behind. In cases they weren’t able to delete specific logs from devices, they often deployed ransomware or disk-wiping malware instead.



The Hermes Ransomware: After withdrawing large amount of money from their ATMs, APT38 deployed the Hermes ransomware on the network of Far Eastern International Bank (FEIB) in Taiwan. Quite conveniently, the IT experts were diverted to data recovery actions rather than focusing on ATM monitoring systems.



KillDisk malware: After a failed attempt of stealing $110 million from Bancomext, APT38 deployed the KillDisk disk-wiping malware on its network. The same malware was deployed by APT38 on the network of Banco de Chile after a successful heist of $10 million.



Analyzing the malware’s sources, IT experts were able to link it to the North Korean hacking group. However, multiple units of North Korea’s hacking infrastructure resemble one another as they reuse malware and tools for launching attacks.



“In particular, the number of SWIFT heists that have been ultimately thwarted in recent years coupled with growing awareness for security around the financial messaging system could drive APT38 to employ new tactics to obtain funds especially if North Korea’s access to currency continues to deteriorate.” FireEye’s report says.






A successful attack can have many impacts on an organization’s assets. It may steal information and money, as well as may harm the reputation of the organization. A network attack may cause temporary or permanent loss of sensitive data, or may lead to manipulation of data, like in case of malware deployment wiping off system memory. It may also disrupt regular operations of the organization.



Further financial losses will be suffered when trying to restore systems and files, especially in cases of ransomware deployment on systems.






Geographically, targets of the APT38 do not belong to a certain area. Following map shows the major targets of APT38.





“We have observed APT38 remain within a victim network approximately 155 days, with the longest time within a compromised system believed to be 678 days (two years)” reported FireEye experts.






Organizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Continuous monitoring of all the activity on the network is essential to pinpoint any cyber espionage targeting an organization.

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 14, June 2019 Rewterz Threat Alert – Advanced Attack Tools Target Non-patched Systems to Distribute Cryptocurrency Miners
  • 14, June 2019 Rewterz Threat Advisory – HP Service Manager Multiple Security Bypass Vulnerabilities
  • 14, June 2019 Rewterz Threat Advisory – CVE-2019-1029 – Microsoft Lync Server 2010 / 2013 Denial of Service Vulnerability
  • 14, June 2019 Rewterz Threat Alert – “Love You” Malspam Phishing Campaign Reemerged

Copyright © Rewterz. All rights reserved.