North Korean Financial Hacking Group Revealed

Pyongyang targeted $1.1 billion in recent cyber bank heists

Kim Jong Un
Getty Images
October 3, 2018

North Korean hackers are engaged in sophisticated financial hacking operations that have targeted at least $1.1 billion in thefts from nearly a dozen countries ranging from Asia to South America to Europe, according to a new report by a noted cyber security group.

Using a combination of fraudulent emails, malicious software and destructive cyber attacks, the North Korean group dubbed APT38 is distinct from Pyongyang's other cyber espionage and political operations, such as the 2014 cyber attack against Sony Pictures Entertainment, according to a report by the cyber security firm FireEye.

"Based on observed activity, we judge that APT38's primary mission is targeting financial systems to raise large sums of money for the North Korean regime," the report, "APT38: Un-usual Suspects," states.

"We can confirm that the APT38 operator activity is linked to the North Korean regime, but maintains a set of common characteristics, including motivation, malware, targeting, and [tactics, techniques, and procedures] that set it apart from other state sponsored operations," the report added.

Sandra Joyce, FireEye's vice president for global intelligence operations, said the group is a cyber criminal group with all the hallmarks of a cyber espionage operation.

"They are doing some of the world's largest financial thefts," said Joyce. "And just from what we observed, we obtained $1.1 billion through our own observations and public reporting that has attempted to be stolen so far."

The sophisticated group is both well financed and involves large numbers of people, operating in North Korea and China, and a key characteristic is the group's use of destructive malware at the end of their bank heists to try and cover up the cyber thefts.

The North Koreans began aggressive financial hacking operations in February 2014 and were influenced by international financial sanctions imposed a month later that blocked bulk cash transfers and restricted Pyongyang's ability to move cash through the international banking systems.

The report said increased activity by the North Korean hackers reflects desperate attempts by the regime of North Korean leader Kim Jong Un to raise cash as a result of ever-tightening international sanctions against the regime for its nuclear and missile programs.

Since 2015, the group appears to have stolen hundreds of millions of dollars by penetrating the global SWIFT banking transfer system. SWIFT is the Society for Worldwide Interbank Financial Telecommunications that is used by banks and financial institutions to securely transfer money around the world.

Among the victims of the North Korean financial hacking group have been the major cyber bank heist in Bangladesh in February 2016 that netted Pyongyang $81 million.

Other targets includes Vietnam's TP Bank in December 2015, Taiwan's Far Eastern International Bank in October 2017, Mexico's Bancomext in January, and Banco de Chile in May.

The Chilean bank heist took place a month before the historic summit between President Trump and Kim.

Joyce said the group's cyber financial thefts continue despite the diplomatic engagement.

Banks and related targets in the United States, India, Russia, Poland, Turkey, Brazil, Uruguay, Mexico, Malaysia, Philippines, and Ecuador were also targets of the financial hacker group.

The report said the APT38 group is distinct from two other North Korean state-sponsored hacking groups, including Pyongyang's cyber espionage group dubbed TEMP.Hermit, and a third group linked to destructive malware cyber strikes known as Lazarus.

Lazarus was linked by investigators to the cyber attacks against Sony Pictures Entertainment that was designed to punish the movie company for its movie The Interview, which contained an unflattering portrayal of North Korean dictator Kim Jong Un.

Disclosure by FireEye of the financial hacking group comes as the Justice Department last month released new intelligence information identifying the key player behind North Korean hacking operations as Park Jin Hyok.

Park was identified as part of the North Korean intelligence agency known as the Reconnaissance General Bureau, specifically its Sixth Technical Bureau and specifically a special unit known as Lab 110.

The FireEye report said that APT38 worked together with North Korea's cyber espionage unit, TEMP.Hermit in the bank heists. The cyber espionage group conducted extensive pre-theft reconnaissance of bank networks, sometimes for several months.

The financial hackers would then conduct the theft of funds—often conducting destructive malware attacks after the heists in order to cover their digital tracks.

In one case of a cyber theft operation against an African bank, the North Koreans planted software called NESTEGG that allowed the hackers to maintain cover access through a digital back door into the bank's network and attempted to steal $100 million. The report did not say if the major heist succeeded.

North Korean hackers also attempted in August to break into networks of India's Cosmos Bank through fraudulent Automated Teller Machines (ATM) and SWIFT transactions.

FireEye said it has not seen North Korean hackers target ATM machines in the United States.

The FBI, Homeland Security, and Treasury Department separately on Tuesday issued a public alert warning that North Korean government hackers were detected attempting to steal cash from ATM machines in Africa and Asia, but not in the United States.

The North Korean ATM hacker activity was carried out by a group the U.S. government code-named Hidden Cobra.

"Hidden Cobra actors target the retail payment system infrastructure within banks to enable fraudulent ATM cash withdrawals across national borders," the report said.

The FireEye report said that in addition to targeting banks for cyber theft, the North Koreans also have targeted several countries government financial governing bodies and media organizations covering the financial sector.

"We surmise that the targeting of banks, media, and government agencies is conducted in support of APT38's primary mission," the report said.

The North Korean hackers also were able to hijack internet websites and use them as "watering holes" to attack unsuspecting victims who could assist in the bank robberies.

Recent diplomatic engagement between the United States and North Korea aimed at ending the North's nuclear and missile programs has not dampened efforts by Pyongyang to conduct cyber bank robberies, the report said.

"We believe APT38's operations will continue in the future," the report said, noting that the number of bank cyber attacks that were halted "could drive APT38 to employ new tactics to obtain funds espionage if North Korea's access to current continues to deteriorate."

Published under: China , Cyber Security