[ad_1]
According to a new report released today by the US cyber-security company FireEye, there is a clear and visible distinction between North Korean hacking units – with two groups specializing in political cyber espionage and a third only in cyber-robbers of banks and financial institutions.
In the last four years, since Sony's hacking in 2014, when the world realized that North Korea was a serious player on the cyber espionage scene, the three groups were ceaselessly covered by the media under the term generic of Lazarus Group.
However, in a report released today, FireEye experts believe that there should be a clear distinction between the three groups, and especially between those who focus on cyber espionage (TEMP. Hermit and Lazarus Group) and one that focuses on financial crime (APT38). ).
Image: FireEye
The activities of the first two have been followed and analyzed for a long time and have been the subject of dozens of reports from both the private security sector and government agencies, but little is known about the third.
Many of the third group's financial-motivated hacking tools were often included in the Lazarus group reports, where they came to a halt when viewed with malware designed for cyber espionage.
But when you isolate all of these financially motivated tools and locate the incidents where they were spotted, you get a clear picture of a completely separate hacking group that seems to be operating autonomously, on a separate program. most members of the Lazarus group. operations.
According to FireEye, this group does not operate according to a rapid strategy of destruction and attack specific to daily cybercrime groups, but with the patience of a threatening actor of a nation-state who has the time and necessary tools. wait for the perfect moment to launch an attack.
Image: FireEye
FireEye said that, by gathering all these tools and past incidents, it has detected the first signs of APT38 activity dating back to 2014, at about the same time when all divisions associated with the Lazarus group have started to work.
But the company does not blame Sony's hacking and the release of the movie "The Interview" from the apparent appearance of the group. According to FireEye experts, these were economic sanctions imposed by the UN on North Korea after a series of nuclear tests in 2013.
Experts believe – and FireEye is not the only one, with other sources reporting the same thing – that, in the face of declining state revenue, North Korea is not the only one, with other sources reporting the same thing – that, in the face of declining state revenue, North Korea is not alone. is turned to its military hacking divisions to get help by bringing in funds from external sources. unorthodox methods.
These methods were based on the hacking of banks, financial institutions and cryptocurrency trades. The geographical target was of little importance and no area was safe from the hackers APT38, according to FireEye, which reported smaller piracy worldwide, in countries such as Poland, Malaysia, Vietnam and others.
Image: FireEye
FireEye's "APT38: Unusual Suspects" report details the timing of past hacks and important milestones in the group's evolution.
- February 2014 – Beginning of the first known APT38 operation
- December 2015 – Attempted robbery at TPBank
- January 2016 – APT38 simultaneously engages in several compromises with several international banks
- February 2016 – Heist at Bangladesh Bank (intrusion via the SWIFT interbank system)
- October 2016 – Reported onset of APT38 water point attacks orchestrated at government and media sites
- March 2017 – SWIFT bans access to all North Korean banks sanctioned by the UN
- September 2017 – Several Chinese banks limit the financial activities of North Korean people and entities
- October 2017 – Heist at Far Eastern International Bank in Taiwan (automatic cash withdrawal system)
- January 2018 – Attempted robbery at Bancomext in Mexico
- May 2018 – Heist at the Banco de Chile
Overall, FireEye estimates that APT38 has attempted to steal more than $ 1.1 billion, but has recovered about $ 100 million, according to conservative estimates from the company.
The security companies said that all the bank's cyber attacks, whether successful or not, revealed a complex modus operandi, which followed the patterns previously seen with nation-state attackers and not with cyber-attacks. ordinary criminals.
The main advantage is their patience and their willingness to wait months, even years, for successful hacking, during which they carried out extensive reconnaissance and surveillance of the compromised target or created specific tools for this purpose. target.
"APT38 operators are working hard to understand their environments and ensure successful deployment of tools on targeted systems," FireEye experts wrote in their report. "The group has demonstrated its willingness to maintain access to a victim environment for as long as necessary to understand the network structure, necessary permissions, and system technologies needed to achieve its goals."
"APT38 is also taking steps to ensure that they are not detected during their internal recognition," he added. "On average, we found that APT38 remained in the casualty network about 155 days, the longest in a compromised system being estimated at 678 days (almost two years)."
Image: FireEye
But the group is also distinguished because it did what very few other groups motivated by financial reasons did. He destroyed evidence when he risked being caught, or after hacking, as a tactic of diversion.
In cases where the group thought they had left too much forensic data, they did not bother to partially clean each computer's logs, but often used a ransomware or malware that erased the disk.
Some claim that this was done on purpose to put the investigators on the wrong track, which is a valid argument, especially since it almost worked in some cases.
For example, APT38 deployed the Hermes ransomware on the Far Eastern Bank (FEIB) network in Taiwan shortly after withdrawing large sums of cash from the bank 's ATMs for the purpose of divert IT teams from data recovery efforts instead of paying attention to ATM Monitoring Systems.
APT38 also deployed KillDisk malware on the Bancomext network after an unsuccessful attempt to steal more than $ 110 million from the bank's accounts, as well as the Banco de Chile network after APT38 managed to steal $ 10 million. dollars from his systems.
Initially, these hacks were reported as failures of the computer system, but thanks to the collective efforts of experts from around the world. [1, 2, 3] and thanks to clues in the source of the malware, experts have linked these hacks to piracy units in North Korea.
But if the FireEye report is the first step in separating North Korean hacking units from North Korea, it will be difficult to pull out, mainly because all North Korean hacking infrastructure seems to overlap, the agents sometimes reusing malware and online infrastructure for all kinds of operations.
This problem was more than evident last month when the US Department of Justice charged North Korean hacker Park Jin Hyok with every North Korean piracy under the sun, ranging from the two cyber-espionage operations. (hacking Sony Pictures, WannaCry, Lockheed Martin hacking) hacks motivated by financial reasons (Bangladesh Bank heist).
But as companies such as FireEye continue to tackle the series of North Korean piracy attempts to shed light on the attacks of the past, the Pyongyang regime does not seem interested in limiting the APT38, despite some recent positive developments in the diplomatic negotiations. .
"We believe that APT38's operations will continue in the future," said FireEye. "In particular, the number of SWIFT robberies that have finally been thwarted in recent years, coupled with growing security awareness around the financial messaging system, could lead APT38 to use new tactics to secure funds, particularly if North Korea's access to the currency continues to deteriorate "
