FireEye has released a report covering most bank espionages and SWIFT attacks launched by APT38 from North Korea.
PUBLISH DATE: 04-Oct-2018
A recent FireEye report covers various activities of threat actors from North Korea, tracked as APT38. APT38 seems to have been operating since 2014 and has targeted financial institutions stealing at least a $100 million from banks worldwide.
There are numerous SWIFT banking systems that have been targeted, including the hack of Vietnam’s TP Bank in 2015, Bangladesh’s central bank in 2016, Taiwan’s Far Eastern International in 2017, Bancomext in Mexico in 2018, and Banco de Chile in 2018. FireEye seems to believe that it was UN economic sanctions levied against North Korea after a suite of nuclear tests carried out in 2013 that led to the rise of this state-funded hacker group.
The attacks are aimed at currency acquisition since the North Korean state is facing multiple sanctions imposed on them.
TIMELINE OF EVENTS
FireEye estimates a targeted heist of over $1.1 billion by the APT38. However, roughly $100 million could be stolen.
FireEye experts wrote in their report. “The group has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, necessary permissions, and system technologies to achieve its goals.”
The group stands out due to the excessive care and precaution it takes while attacking its target. Massive evaluation of target systems is carried out before the heists are launched. To ensure perfection in the attacking techniques, the group may remain dormant for months while working on the attack strategies.
The most striking thing about the group is that they don’t leave evidence behind. In cases they weren’t able to delete specific logs from devices, they often deployed ransomware or disk-wiping malware instead.
The Hermes Ransomware: After withdrawing large amount of money from their ATMs, APT38 deployed the Hermes ransomware on the network of Far Eastern International Bank (FEIB) in Taiwan. Quite conveniently, the IT experts were diverted to data recovery actions rather than focusing on ATM monitoring systems.
KillDisk malware: After a failed attempt of stealing $110 million from Bancomext, APT38 deployed the KillDisk disk-wiping malware on its network. The same malware was deployed by APT38 on the network of Banco de Chile after a successful heist of $10 million.
Analyzing the malware’s sources, IT experts were able to link it to the North Korean hacking group. However, multiple units of North Korea’s hacking infrastructure resemble one another as they reuse malware and tools for launching attacks.
“In particular, the number of SWIFT heists that have been ultimately thwarted in recent years coupled with growing awareness for security around the financial messaging system could drive APT38 to employ new tactics to obtain funds especially if North Korea’s access to currency continues to deteriorate.” FireEye’s report says.
A successful attack can have many impacts on an organization’s assets. It may steal information and money, as well as may harm the reputation of the organization. A network attack may cause temporary or permanent loss of sensitive data, or may lead to manipulation of data, like in case of malware deployment wiping off system memory. It may also disrupt regular operations of the organization.
Further financial losses will be suffered when trying to restore systems and files, especially in cases of ransomware deployment on systems.
Geographically, targets of the APT38 do not belong to a certain area. Following map shows the major targets of APT38.
“We have observed APT38 remain within a victim network approximately 155 days, with the longest time within a compromised system believed to be 678 days (two years)” reported FireEye experts.
Organizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Continuous monitoring of all the activity on the network is essential to pinpoint any cyber espionage targeting an organization.