There is a distinct and aggressive group of hackers bent on financing the North Korean regime and responsible for millions of dollars in bank heists in recent years, according to research from cybersecurity company FireEye.
The group, dubbed APT38, is distinct from other Pyongyang-linked hackers because of its overriding financial motivation — as opposed to pure espionage — and persistent targeting of banks worldwide, FireEye researchers said.
“This is an active … threat against financial institutions all around the world,” Sandra Joyce, FireEye’s vice president of global intelligence, said at a press briefing.
The group was responsible for some of the more high-profile attacks on financial institutions in the last few years, the researchers said, including the $81 million heist of the Bangladesh’s central bank in February 2016, and an attack on a Taiwanese bank in October 2017.
North Korean hackers had already been publicly linked with these attacks, but the FireEye report ties an extensive trail of digital havoc to this particular set of North Korean computer operatives.
As Pyongyang has felt the bite of international sanctions, APT38 has shown an unrelenting focus on raising money for the regime, the research shows. All told, APT38 has tried to steal $1.1 billion from financial institutions around the world, according to FireEye.
“They conduct the bank heists like criminals except they use espionage techniques,” Joyce said. “They take time, they sit in the system, they understand the process.” FireEye had a “sense of urgency” in raising awareness about APT38 “because of the insidious methods and technologies [the group is deploying] against customers around the world,” according to Joyce.
“The hallmark of this group is that it deploys destructive malware” after stealing money from an organization, she added, “not only to cover its tracks, but [also] in order to distract defenders, complicate the incident response process, and gain time to get out the door.”
North Korea has built out its cyber capabilities over the last few decades, developing a roster of hackers who defy stereotypes about a Hermit Kingdom hard-pressed for computer resources.
FireEye also tracks a set of North Korean hackers it calls TEMP.Hermit. While the groups share malware and other resources, APT38’s operations are “more global and highly specialized for targeting the financial sector,” the FireEye report states. A broader umbrella of North Korean hackers is known to the cybersecurity industry as the Lazarus Group.
On Tuesday, the U.S. government released details on malware it alleges Pyongyang’s computer operatives have used to fraudulently withdraw money from ATMs in various countries.
The unmasking of APT38 comes weeks after the Justice Department announced charges against Park Jin Hyok, a North Korean computer programmer, in connection with the 2014 hack of Sony Pictures and the 2017 WannaCry ransomware attack. Park has likely contributed to both APT38 and TEMP.Hermit operations, according to Jacqueline O’Leary, a senior threat intelligence analyst at FireEye.
The North Korean government has denied allegations that it sponsors such hacking.