Bringing cybersecurity globally to critical and complex key activities
Alias: APT 38, APT38, Bluenoroff, Stardust Chollima, Subgroup: Bluenoroff
According to the information available to us, it would appear that ATK117 (APT38) is a North Korean state-sponsored cyberthreat actor with prerogatives similar to those of Unit 180 of the North Korean Army's General Reconnaissance Bureau. The Unit 180 is the North Korean Unit in charge of obtaining funds for the cyber activity and for the Noth Korean regime. This activity exist since at least 2014 and seems to has been increasing since North Korea has been subject to severe financial sanctions due to the development of new weapons. The economic pressure on Pyongyang leads the North Korean government to find new ways to obtain funding.
APT38 is a North Korean financially motivated threat group who developed multiple ways to steal money from the targeted attacks on banks and cryptocurrency exchanges to the spreading of ransomwares. This group seems to be learning about financial transaction in 2014 and developed a SWIFT malware in 2015. From 2014 to 2017 they mostly target organizations from Southeast Asia and expand to South America and Africa in mid-2016. They also targeted Europe and North America from October 2016 to October 2017.
APT38 has a complete arsenal of malwares and tools using defense evansion techniques and false flags (use of some poorly translated Russian language in some malwares, re-useage of known malwares). It is possible that these malwares were developped by another Unit (such as Unit 31), these techniques could be used by other North Korean groups. Despite this arsenal, APT38 uses Live-of-the-Land tools when it is possible. They put an effort into discovert the targeted environment and maintain acces as long as possible while staying undeteced unitil they reach their goal. FireEye estimate that they stay in a victim network approximately 155 days.
Since 2018 the group gone from stealthy to noisy using the destructive KillDisk malware as a distraction tactic while they are targeting the SWIFT network to initiate malicious transations.
We suspect the Unit 180 to be source of the WannaCry ransomware in 2017.
The report from the UN Security Council said that North Korea is carrying out "widespread and increasingly sophisticated" cyberattacks and estimates that North Korea has generated $2 billon.
REFERENCES
Ji Young Kong, Jong In Lim, and Kyoung Gon Kim, ‘The All-Purpose Sword: North Korea’s Cyber Operations and Strategies’ (Tallinn: 2019 11th International Conference on Cyber Conflict, 2019), https://ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf.
U.S. Department of the Treasury, ‘Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups’, U.S. Department of the Treasury, 13 September 2019, https://home.treasury.gov/news/press-releases/sm774.
Threat Team, ‘Lazarus Group Uses KillDisk as a Distraction for SWIFT Attacks |’, 12 June 2018, https://www.bluvector.io/threat-report-lazarus-group-killdisk-swift/.
Michelle Nichols, ‘North Korea Took $2 Billion in Cyberattacks to Fund Weapons Program: U.N. Report’, Reuters, 5 August 2019, sec. Aerospace and Defense, https://www.reuters.com/article/us-northkorea-cyber-un-idUSKCN1UV1ZX.
Gilbert Sison et al., ‘KillDisk Variant Hits Latin American Financial Groups’, Trend Micro, 15 January 2018, https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html.
FireEye, ‘APT38: Un-Usual Suspects’, FireEye, 3 November 2018, https://content.fireeye.com/apt/rpt-apt38.