This article is more than 1 year old

'Desperate' North Korea turns to bank hacking sprees to rake in much-needed dosh

State-sponsored intrusions meets financial acquisition with APT38

Hackers backed by the North Korea government are attempting to ransack foreign banks to raise funds for the cash-strapped hermit nation.

Researchers at FireEye say that a gang dubbed APT38* are trying to pull off a billion-dollar money grab, and are working separate from the infamous Nork-sponsored Lazarus group.

According to FireEye, the APT38 group is apparently operating as a subset of a larger North Korean hacking operation known as TEMP.Hermit. The bank-focused group is thought to be behind North Korean cyber-attacks on the 2016 Bank of Bangladesh heist and the 2018 Banco de Chile attack, and others, incidents that had previously only been believed to have been TEMP.Hermit operations.

As a result, researchers have had to reassess their picture of North Korea's hacking operation, finding the entire operation to actually be the work of a number of increasingly specialized operations.

In the case of APT38, the operation consists of individuals that come from 16 different government organisations and operate in at least 11 different countries. The group specialises in extracting huge sums of cash from banks via the SWIFT transaction system, often using sophisticated attacking tools that had previously been reserved for attacks on governments for espionage operations.

"APT38 executes sophisticated bank heists typically featuring long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards," FireEye said.

Those nukes won't fund themselves

Why the use of such sophisticated and intricate operations just to attack banks? FireEye said it believed the political pressure and economic sanctions that have piled up against Pyongyang over the years have made the country go to great lengths to obtain new cash infusions.

Absent other ways to bring in funds, North Korea has now resorted to using its hacking resources to divert cash from other countries.


US Treasury goes after IT shops for funneling cash to North Korea


"Increasingly heavy and pointed international sanctions have been levied on North Korea following the regime's continued weapons development and testing," FireEye explained.

"The pace of APT38 activity probably reflects increasingly desperate efforts to steal funds to pursue state interests, despite growing economic pressure on Pyongyang."

The researchers don't expect the attacks to let up any time soon, either. Despite outreach efforts from the Trump administration and increased pressure by the US Department of Justice to crack down on individual hackers, the APT38 group is showing no signs of letting up.

"Based on the large scale of resources and vast network dedicated to compromising targets and stealing funds over the last few years, we believe APT38’s operations will continue in the future," said FireEye.

"In particular, the number of SWIFT heists that have been ultimately thwarted in recent years coupled with growing awareness for security around the financial messaging system could drive APT38 to employ new tactics to obtain funds especially if North Korea’s access to currency continues to deteriorate." ®

* In infosec terms, an acronym for "advanced persistent threat" - a sustained attack by a team of bad actors on a network/s which remains undetected for a long period of time, sometimes years (usually well-funded, sometimes by a state, so the group can remain, er, "persistent").

More about


Send us news

Other stories you might like