APT38

APT38 threat group is a North Korean state-sponsored threat actor specializing primarily in targeting banks and financial institutions. The group is believed to take direction or may be part of the North Korean Reconnaissance General Bureau (RGB). The RGB is a North Korean intelligence agency that runs the state’s covert intelligence operations. Historically, the RGB has focused operations in the United States, South Korea, and Japan. APT38 has almost continuously targeted financial institutions, cryptocurrency, the SWIFT system users and endpoints, and ATMs in over 35+ countries worldwide.

SWIFT is a global member-owned cooperative. SWIFT provides the software infrastructure financial institutions worldwide use to manage secure financial messaging. Most recognize SWIFT as the leading monetary fund transfer system (wire transfer). The SWIFT base includes well over 11,000 banking and securities organizations distributed globally.

APT38 has run a wide variety of attacks against banks worldwide. For example, in 2016, APT38 was responsible for the Bank of Bangladesh heist, during which time they successfully exfiltrated $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018). Other bank attack operations included the theft at the Far Eastern International Bank of Taiwan, which involved automating the cash-out of ATMs in the bank’s network.

Anatomy of an APT38 Attack

Various research groups have gathered well-informed data about the procedures of APT38’s attacks on SWIFT networks. For example, these are the stages observed in one APT38 attack:

• Stage 1—Research. APT38 conducts research into a target organization and related third-party vendors. Their goal is to understand how this particular organization operates SWIFT transactions. Their purpose includes understanding how they originate, create, approve, and execute transactions using the SWIFT infrastructure.
• Stage 2—Compromise. APT38 utilized “watering holes” and exploited a vulnerable version of Apache Struts2 to execute malicious code.
• Stage 3—Reconnaissance. APT38 deployed malware tools to gather credentials, developed a map of the victim’s network topology, and “lived off the land” using tools already present in the targeted organization’s network to perform scans.
• Stage 4- Impacted the Targeted Organization’s SWIFT Servers. APT38 threat actors installed their reconnaissance malware and network monitoring tools on systems used for SWIFT. As a result, they are now deep into exactly how the transactions flow through these systems, how they are managed and configured, and the specific personnel involved.
• Stage 5—Exfiltrate Funds. APT38 threat actors executed and approved fraudulent SWIFT transactions and then altered transaction history. They aim to provide enough obfuscation that the “approved” transactions are not noticed or reviewed until the transfer is completed. At times, they might start a fraudulent transaction late on Friday, expecting the transaction to be complete over the weekend before additional oversight and review could be completed. The exfiltrating of funds was complemented by many standard money laundering techniques, including the repeated transfer through banks and countries that don’t work cooperatively with the EU or the US to obfuscate the money transaction trail.
• Stage 6—Destroy Logs and Wipe Disks. At the end of the cyberattack, the APT39 threat actors hurry to quietly delete logs and deploy disk-wiping malware and other techniques to disrupt any forensic and audit activity.

APT38 exhibits sophisticated and patient behavior. They have shown an ability to wait for months patiently, and in some cases, perhaps years, to complete a cyberattack and fund exfiltration. This patience makes APT38 even more dangerous to major banks and financial institutions.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.