North Korean hacking operation behind SWIFT attacks

Details about this operation of massive bank robbery are revealed

Researchers from a security and digital forensics firm have publicly disclosed some details about how a team of North Korean hackers, christened as APT 38, have tried to steal about $1.1 billion USD from financial institutions around the world. The expert group had previously attributed these cyberattacks against the international interbank communication system known as SWIFT in several banks to a North Korean hacking group known as TEMP.

“This group of hackers is practically funding the North Korean regime”, said Nalani Fraser, one of the experts in charge of the research, referring to the group APT 38.

It is common to associate all the hackers sponsored by North Korea under the name of Lazarus Group, the hackers behind the robbery, leaking and data elimination in Sony Pictures Entertainment in 2014 and the WannaCry ransomware in 2017. It was after the data breach at Sony that the North Korean regime began to divide its hackers into different groups, according to the analysis of digital forensics experts. The increasing in the illegal activities of APT 38 matched with financial pressures due to international economic sanctions against North Korea.

The researchers consider that the APT 38 group is distinguished by the use of customized tools and focuses on the operations of financial Organizations. APT 38 employs at least 39 different sets of tools and is known for conducting deep analysis of its targets, even staying within the victims’ infrastructure for a long time before performing any action. During this period, ATP 38 collects access credentials, performs mapping, and searches for vulnerabilities in the system.

“Once, we saw them exploiting a legitimate file program inherent to a compromised host, using it to transfer and eliminate malware”, one of the experts mentioned. “On another occasion, we saw them incorporate a proxy IP coded into their malware that was actually a specific IP of the victim’s environment”.

To transfer stolen funds, APT 38 uses the so-called DYEPACK malware to carry out fraudulent transactions, most of which were made in less visible increments and sent to countries with lax money laundering laws. Subsequently, hackers eliminated any traces of the attack, including log histories, while distracting the security teams with ransomware attacks. On one occasion, about 10k bank’s workstations and servers were disconnected by APT 38’s destructive cleanup operation to cover their footprints.

According to specialists in digital forensics from the International Institute of Cyber Security, the malware used by APT 38 is very difficult to detect, in addition it is really difficult to remove it from a system, since it runs in memory, never in other components.