[ad_1]
FIREEYE CYBER DEFENSE SUMMIT – Washington, DC – FireEye researchers today unveiled how a North Korean hacking team called APT 38 had attempted to steal $ 1.1 billion from financial institutions around the world. .
FireEye had previously attributed the cyberattacks on the international interbank messaging system SWIFT in various banks to a group of North Korean hackers called TEMP.Hermit, which had mainly conducted cyber espionage attacks against the energy and energy sectors. defense in South Korea and the United States. .
The main objectives of the APT 38 are however of financial order on behalf of the North Korean government: since 2015, the computer hacking team has stolen hundreds of millions of dollars of money. at least five banks (including Bangladesh Bank and Banco de Chile) and hacked 16 organizations. in 11 countries in Latin America, Europe and the United States, for example, according to FireEye.
"This is the first time that a cybercrime group is essentially funding a scheme," said Nalani Fraser, North Korea's FireEye Threat Intelligence Officer.
North Korean hacking teams are generally grouped under the name of Lazarus Group, the group responsible for the epic violation, the destructive attack and the destruction of data on Sony Pictures Entertainment in 2014 and WannaCry in 2017. C & After the violation of Sony that According to FireEye's analysis, the machine to hack North Korea began to split into different groups and the APT 38 began to emerge as a & # 39; 39; entity. The increase in APT 38 coincided with the financial pressures exerted by international economic sanctions against North Korea.
But CrowdStrike says he's been following this same group since 2016 – under the nickname Stardust Chollima. Adam Meyers, vice president of intelligence at CrowdStrike, said his company attributed the attacks against the SWIFT system to the North Korean group.
"Stardust Chollima has been associated with a number of financially motivated attacks in order to generate revenue for the North Korean regime, targeting the international financial system, regional banks in developing economies, and trade. and cryptocurrency companies, "said Meyers. "These attacks are expected to continue due to the economic impact on the DPRK as a result of international sanctions".
No Smash-and-Grab
There are still many overlaps between the three major North Korean hacking groups, but FireEye researchers say APT 38 stands out for its specialized custom tools and its focus on the operations of financial organizations. APT 38 uses at least 39 sets of tools and is known for its in-depth study of its targets, often staying in the network of a target for long periods of time before modifying its data. Jacqueline O 'Leary, senior threat intelligence analyst for FireEye, is not a breathtaking operation.
On average, APT 38 spends 155 days in a compromised network. And in one case, he remained silent on the network of a victim for two years before moving out for money. "They can reconcile multiple motivations, financial incentives and they operate as a traditional spying operation," said O. Leary. "Sometimes they wait two years before attempting transactions" with a bank, for example.
APT 38 devotes this time to collecting identification information, mapping the network, analyzing systems for information and vulnerabilities.
"Once we saw them leveraging a legitimate file program already inherent in a compromised host, they used it to transfer and remove malicious programs," said O. Leary. "And another time, we saw them embed a hard-coded proxy IP address into their malicious software, which was actually specific to the victim's environment."
When the APT 38 began to pivot to SWIFT servers in banking targets, for example, it used a combination of internal and legitimate tools: in one case, they used sysmon to bring users and processes together Having access to SWIFT servers, Fraser said, "We also saw them using passive and active backdoors (…) to create tunnels and access internal systems."
To transfer stolen funds, APT 38 uses its so-called DYEPACK malware for fraudulent transactions, which have generally been made in less visible increments and sent to countries with lax money laundering laws.
"Then they burn the house," Fraser said, including removing newspaper logs and launching distractions such as ransomware attacks. In one case, it was a fake ransomware attack that was not even designed to collect ransom, she said. "This distracted the investigators and they then wiped the records."
In a bank, some 10,000 workstations and servers were taken offline by the destructive cleaning operation of APT 38 to cover its tracks. "The employees came in on the blue screens … it was just chaos," Fraser said.
APT 38 has also proven itself: "In some cases, we found that they were running an antivirus scan on a compromised host to determine if their own malware would be detected," said O. Leary.
And, according to its stealthy approach, APT 38 malware is often difficult to detect. Take its SWIFT attack malware, which runs in memory and is not easily detected. "SWIFT malware is never on the disk," said Chris DiGiamo, technical director of FireEye's Mandiant team.
FireEye has also published today a blog and report on APT 38.
Kelly Jackson Higgins is the editor of DarkReading.com. A journalist specializing in the fields of technology and business, she has over 20 years of experience in writing reports and editing various publications, including Network Computing, Secure Enterprise … View Biography complete
More ideas
[ad_2]Source link
