North Korean Financial Hacking Group Revealed

Pyongyang targeted $1.1 billion in recent cyber bank heists


North Korean hackers are engaged in sophisticated financial hacking operations that have targeted at least $1.1 billion in thefts from nearly a dozen countries ranging from Asia to South America to Europe, according to a new report by a noted cyber security group.

Using a combination of fraudulent emails, malicious software and destructive cyber attacks, the North Korean group dubbed APT38 is distinct from Pyongyang's other cyber espionage and political operations, such as the 2014 cyber attack against Sony Pictures Entertainment, according to a report by the cyber security firm FireEye.

"Based on observed activity, we judge that APT38's primary mission is targeting financial systems to raise large sums of money for the North Korean regime," the report, "APT38: Un-usual Suspects," states.

"We can confirm that the APT38 operator activity is linked to the North Korean regime, but maintains a set of common characteristics, including motivation, malware, targeting, and [tactics, techniques, and procedures] that set it apart from other state sponsored operations," the report added.

Sandra Joyce, FireEye's vice president for global intelligence operations, said the group is a cyber criminal group with all the hallmarks of a cyber espionage operation.

"They are doing some of the world's largest financial thefts," said Joyce. "And just from what we observed, we obtained $1.1 billion through our own observations and public reporting that has attempted to be stolen so far."

The sophisticated group is both well financed and involves large numbers of people, operating in North Korea and China, and a key characteristic is the group's use of destructive malware at the end of their bank heists to try and cover up the cyber thefts.

The North Koreans began aggressive financial hacking operations in February 2014 and were influenced by international financial sanctions imposed a month later that blocked bulk cash transfers and restricted Pyongyang's ability to move cash through the international banking systems.

The report said increased activity by the North Korean hackers reflects desperate attempts by the regime of North Korean leader Kim Jong Un to raise cash as a result of ever-tightening international sanctions against the regime for its nuclear and missile programs.

Since 2015, the group appears to have stolen hundreds of millions of dollars by penetrating the global SWIFT banking transfer system. SWIFT is the Society for Worldwide Interbank Financial Telecommunications that is used by banks and financial institutions to securely transfer money around the world.

Among the victims of the North Korean financial hacking group have been the major cyber bank heist in Bangladesh in February 2016 that netted Pyongyang $81 million.

Other targets includes Vietnam's TP Bank in December 2015, Taiwan's Far Eastern International Bank in October 2017, Mexico's Bancomext in January, and Banco de Chile in May.

The Chilean bank heist took place a month before the historic summit between President Trump and Kim.

Joyce said the group's cyber financial thefts continue despite the diplomatic engagement.

Banks and related targets in the United States, India, Russia, Poland, Turkey, Brazil, Uruguay, Mexico, Malaysia, Philippines, and Ecuador were also targets of the financial hacker group.

The report said the APT38 group is distinct from two other North Korean state-sponsored hacking groups, including Pyongyang's cyber espionage group dubbed TEMP.Hermit, and a third group linked to destructive malware cyber strikes known as Lazarus.

Lazarus was linked by investigators to the cyber attacks against Sony Pictures Entertainment that was designed to punish the movie company for its movie The Interview, which contained an unflattering portrayal of North Korean dictator Kim Jong Un.

Disclosure by FireEye of the financial hacking group comes as the Justice Department last month released new intelligence information identifying the key player behind North Korean hacking operations as Park Jin Hyok.

Park was identified as part of the North Korean intelligence agency known as the Reconnaissance General Bureau, specifically its Sixth Technical Bureau and specifically a special unit known as Lab 110.

The FireEye report said that APT38 worked together with North Korea's cyber espionage unit, TEMP.Hermit in the bank heists. The cyber espionage group conducted extensive pre-theft reconnaissance of bank networks, sometimes for several months.

The financial hackers would then conduct the theft of funds—often conducting destructive malware attacks after the heists in order to cover their digital tracks.

In one case of a cyber theft operation against an African bank, the North Koreans planted software called NESTEGG that allowed the hackers to maintain cover access through a digital back door into the bank's network and attempted to steal $100 million. The report did not say if the major heist succeeded.

North Korean hackers also attempted in August to break into networks of India's Cosmos Bank through fraudulent Automated Teller Machines (ATM) and SWIFT transactions.

FireEye said it has not seen North Korean hackers target ATM machines in the United States.

The FBI, Homeland Security, and Treasury Department separately on Tuesday issued a public alert warning that North Korean government hackers were detected attempting to steal cash from ATM machines in Africa and Asia, but not in the United States.

The North Korean ATM hacker activity was carried out by a group the U.S. government code-named Hidden Cobra.

"Hidden Cobra actors target the retail payment system infrastructure within banks to enable fraudulent ATM cash withdrawals across national borders," the report said.

The FireEye report said that in addition to targeting banks for cyber theft, the North Koreans also have targeted several countries government financial governing bodies and media organizations covering the financial sector.

"We surmise that the targeting of banks, media, and government agencies is conducted in support of APT38's primary mission," the report said.

The North Korean hackers also were able to hijack internet websites and use them as "watering holes" to attack unsuspecting victims who could assist in the bank robberies.

Recent diplomatic engagement between the United States and North Korea aimed at ending the North's nuclear and missile programs has not dampened efforts by Pyongyang to conduct cyber bank robberies, the report said.

"We believe APT38's operations will continue in the future," the report said, noting that the number of bank cyber attacks that were halted "could drive APT38 to employ new tactics to obtain funds espionage if North Korea's access to current continues to deteriorate."

Bill Gertz   Email Bill | Full Bio | RSS
Bill Gertz is senior editor of the Washington Free Beacon. Prior to joining the Beacon he was a national security reporter, editor, and columnist for 27 years at the Washington Times. Bill is the author of seven books, four of which were national bestsellers. His most recent book was iWar: War and Peace in the Information Age, a look at information warfare in its many forms and the enemies that are waging it. Bill has an international reputation. Vyachaslav Trubnikov, head of the Russian Foreign Intelligence Service, once called him a “tool of the CIA” after he wrote an article exposing Russian intelligence operations in the Balkans. A senior CIA official once threatened to have a cruise missile fired at his desk after he wrote a column critical of the CIA’s analysis of China. And China’s communist government has criticized him for news reports exposing China’s weapons and missile sales to rogue states. The state-run Xinhua news agency in 2006 identified Bill as the No. 1 “anti-China expert” in the world. Bill insists he is very much pro-China—pro-Chinese people and opposed to the communist system. Former Defense Secretary Donald H. Rumsfeld once told him: “You are drilling holes in the Pentagon and sucking out information.” His Twitter handle is @BillGertz.

Get the news that matters most to you, delivered straight to your inbox daily.

Register today!
  • Grow your email list exponentially
  • Dramatically increase your conversion rates
  • Engage more with your audience
  • Boost your current and future profits