Threat Actor: APT 38; AKA "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima"
Date of Activity: ~2014-Present
Area of Operations: Global Hacking Operations
Overview: APT 38 is a North Korean cyber espionage group that has been active since at least 2014. The group is known for its advanced tactics, techniques, and procedures (TTPs) and has been linked to numerous high-profile cyber-attacks against banks, cryptocurrency exchanges, and other organizations around the world.
APT 38 is believed to be state-sponsored and operates on behalf of the North Korean government. It has been linked to several campaigns, including the attack on Sony Pictures in 2014, the Bangladesh Bank heist in 2016, and the WannaCry ransomware attack in 2017.
One of the hallmarks of APT 38 is its ability to evade detection and maintain a long-term presence on compromised networks. The group has been known to use custom malware, such as HOPLIGHT and BADCALL, and has been observed using a range of sophisticated techniques to evade detection, including the use of encrypted communications and the abuse of legitimate tools and infrastructure.
APT 38 has also been known to target specific individuals within organizations, using spear phishing campaigns to gain access to their systems. The group has a particular focus on financial institutions and has been linked to several major bank thefts, including the Bangladesh Bank heist, in which over $80 million was stolen.
Specifically, the Bangladesh Bank heist was a cyber-attack that occurred in February 2016, in which hackers attempted to steal over $1 billion from the Bangladesh Bank, the central bank of Bangladesh. The attack was successful in stealing approximately $81 million, which was transferred to accounts in the Philippines and later traced to casinos in the country.
The attack was carried out using the SWIFT network, a global financial messaging system used by banks to transfer funds. The hackers gained access to the Bangladesh Bank's systems and used the SWIFT network to send a series of fraudulent transfer requests to the Federal Reserve Bank of New York, which handles transactions for the Bangladesh Bank.
The attack was discovered when one of the fraudulent transfer requests, which was for $20 million to be sent to a non-profit organization in Sri Lanka, was flagged as suspicious. This led to an investigation and the discovery of the other fraudulent requests. However, by that time, many of the transfers had already been completed and the funds had been transferred to the accounts in the Philippines.
The Bangladesh Bank heist was a major incident and one of the largest cyber-attacks on a financial institution to date. It highlighted the vulnerabilities of the SWIFT network and the potential for hackers to use it to carry out large-scale attacks.
In the aftermath of the attack, the Bangladesh Bank and the SWIFT network implemented a number of security measures to improve their defenses against similar attacks.
APT 38 is a highly skilled and persistent threat actor that continues to pose a significant risk to organizations around the world while attempting to fund and legitimize DPRK.
• Nation-state tool set; to include exploits, implants, and RATs
• Sophisticated Social engineering
• The creation of fake organizations and brands to evoke legitimacy
• Supply-chain interdiction and attacks
• Implementing encrypted communications and co-opted infrastructure
• Targeted spear phishing attacks on organizations and personas