North Korea blamed for digital bank heists in 11 countries, funding regime in spite of sanctions

October 3, 2018

North Korean hackers renown for conducting online bank heists have successfully breached at least 16 victims in 11 countries in the last four years, making millions of dollars for Kim Jong-un’s regime in spite of international sanctions, a U.S. cybersecurity firm reported Wednesday.

An investigation into criminal activity attributed to the North Korean government assessed that a particular hacking group, dubbed “APT38,” began breaking into foreign banks to raise funds in the wake of the United Nations imposing financial penalties in response to Pyongyang’s nuclear program, FireEye reported.

“APT38′s operations began in February 2014 and were likely influenced by financial sanctions enacted in March 2013 that blocked bulk cash transfers and restricted North Korea’s access to international banking systems,” FireEye’s researchers reported.

The group ramped-up its efforts in the following years, conducting at least nine separate attempted compromises between late 2015 and late 2016 prior to launching a new wave of attacks on the heels of fresh sanctions being imposed in late 2017, FireEye reported.

The hackers are responsible for stealing millions of dollars earlier this year from banks in Mexico and Chile and remain “active and dangerous to financial institutions worldwide,” the report said.

Conservative estimates place APT33′s total haul at over a hundred million dollars, generating more than enough revenue to keep its operations afloat FireEye reported.

In detailing APT33′s activities, FireEye described the hackers as related but significantly distinct from the group known by names including “Lazarus” and “TEMP.Hermit” previously credited with conducting other recent high-profile intrusions attributed to the North Korean government, including notably the 2014 breach suffered by Sony Pictures Entertainment.

Both groups use share malware and are linked to the Kim regime, but APT33 specializes in financially motivated crimes while the other group largely conducts espionage, the report said.

“Since at least the beginning of 2014, APT38 operations have focused almost exclusively on developing and conducting financially motivated campaigns targeting international entities, whereas TEMP.Hermit is generally linked to operations focused on South Korea and the United States,” the report concluded.

The U.S. Department of Justice last month charged Park Jin-hyok, an accused North Korean programmer, in connection with the Sony breach and related activity connected to Pyongyang. FireEye said that APT38 conducted some of its operations using internet addresses the Justice Department previously associated with Mr. Park’s activities.

North Korea has previously denied responsibility for the Sony breach in addition to Mr. Park’s existence.

Update hourly