A security report released Wednesday accused a unit of hackers linked to the North Korean government of stealing hundreds of millions of dollars from banks across the world over the past four years.
The report is from cybersecurity firm FireEye, which in September detected a cyber-espionage campaign apparently conducted on behalf of Iran as revenge for sanctions, and in June reported on a wave of Chinese and Russian attacks on South Korea ahead of the summit between President Donald Trump and North Korean dictator Kim Jong-un.
According to FireEye’s analysis, a hacking unit they designated “APT38” and described as a “large, prolific operation with extensive resources” raided banks in 11 different countries, targeting over a billion dollars in assets. They did not get the entire $1.1 billion they were shooting for, but their haul ran into hundreds of millions of dollars.
The heists were accomplished with a malware program that allowed the hackers to create phony transactions in SWIFT, the Society for Worldwide Interbank Financial Telecommunication system. The bogus transactions funneled money into bank accounts in the Philippines, from which the cash was withdrawn and laundered through casinos. The largest single score was $81 million from the central bank of Bangladesh in 2016.
“They conduct the bank heists like criminals except they use espionage techniques. They take time, they sit in the system, they understand the process,” FireEye Vice President of Global Intelligence Sandra Joyce said.
Joyce said APT38’s modus operandi is to dump destructive malware into computer systems as it departs after a heist to “cover its tracks” and “distract defenders” until it can make a clean getaway. In one case, the unit stole money from the automatic teller machines of a Taiwanese bank, then bombed the bank’s network with a ransomware program to distract its security specialists. In other instances, they covered their tracks with malware payloads that wiped out entire hard drives.
The unit seems entirely focused on invading financial networks, lurking patiently until the time to strike is right, and making off with piles of money. It has not displayed any interest in other forms of hacker mischief or technology theft to date.
North Korea is believed to maintain two other hacking units for other forms of political espionage and information gathering. FireEye analysts said APT38’s attacks have thus far been mixed in with the activities of the other units, known as TEMP. Hermit and the Lazarus Group, but APT38 appears to be a distinct operation with its own signature software tools and specialized mission, formed after the first round of tough U.N. sanctions were imposed against North Korea’s nuclear program in 2013.
APT38’s remarkable patience was taken as a clear sign of nation-state sponsorship by analysts. “On average, we have observed APT38 remain within a victim network approximately 155 days, with the longest time within a compromised system believed to be 678 days,” FireEye researchers said.
The Sydney Morning Herald noted on Wednesday that Australian banks appear to be among those targeted by the North Korean team. The evidence of this includes ID codes associated with Australian financial institutions discovered in APT38 malware code dissected by FireEye.
“It seems that the North Koreans are strapped for cash and are really doing anything they can to get money. They’ll attack banks wherever they find opportunities, so all banks, including Australian ones, will be on their radar,” Australian expert Tom Uren warned, guessing the hackers would target smaller banks because they lack the resources to deal with such sophisticated intrusions.