www.securityweek.com Open in urlscan Pro
2606:4700:20::6818:a003  Public Scan

Form analysis
3 forms found in the DOM

GET https://www.securityweek.com/

<form method="get" id="zox-search-form" action="https://www.securityweek.com/" data-hs-cf-bound="true">
  <input type="text" name="s" id="zox-search-input" value="Search" onfocus="if (!window.__cfRLUnblockHandlers) return false; if (this.value == &quot;Search&quot;) { this.value = &quot;&quot;; }"
    onblur="if (!window.__cfRLUnblockHandlers) return false; if (this.value == &quot;Search&quot;) { this.value = &quot;&quot;; }">
  <input type="submit" id="zox-search-submit" value="Search">
</form>

Name: ccoptin — POST https://visitor.constantcontact.com/d.jsp

<form class="sw-newsletter-cc" style="" method="post" target="_blank" action="https://visitor.constantcontact.com/d.jsp" name="ccoptin" data-hs-cf-bound="true">
  <input type="hidden" value="1102592012458" name="m">
  <input type="hidden" value="oi" name="p">
  <div class="form-item">
    <input type="text" class="form-text required" value="" placeholder="Business Email Address..." size="60" name="ea" maxlength="128">
    <input type="submit" class="submit" value="Subscribe" name="go">
  </div>
</form>

Name: ccoptin — POST https://visitor.constantcontact.com/d.jsp

<form class="sw-newsletter-cc" style="" method="post" target="_blank" action="https://visitor.constantcontact.com/d.jsp" name="ccoptin" data-hs-cf-bound="true">
  <input type="hidden" value="1102592012458" name="m">
  <input type="hidden" value="oi" name="p">
  <div class="form-item">
    <input type="text" class="form-text required" value="" placeholder="Business Email Address..." size="60" name="ea" maxlength="128">
    <input type="submit" class="submit" value="Subscribe" name="go">
  </div>
</form>

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

We won't track your information when you visit our site. But in order to comply
with your preferences, we'll have to use just one tiny cookie so that you're not
asked to make this choice again.

Accept Decline


SECURITYWEEK NETWORK:

 * Cybersecurity News
 * Webcasts
 * Virtual Events


ICS:

 * ICS Cybersecurity Conference

 * Malware & Threats
   * Cyberwarfare
   * Cybercrime
   * Data Breaches
   * Fraud & Identity Theft
   * Nation-State
   * Ransomware
   * Vulnerabilities
 * Security Operations
   * Threat Intelligence
   * Incident Response
   * Tracking & Law Enforcement
 * Security Architecture
   * Application Security
   * Cloud Security
   * Endpoint Security
   * Identity & Access
   * IoT Security
   * Mobile & Wireless
   * Network Security
 * Risk Management
   * Cyber Insurance
   * Data Protection
   * Privacy & Compliance
   * Supply Chain Security
 * CISO Strategy
   * Cyber Insurance
   * CISO Conversations
   * CISO Forum
 * ICS/OT
   * Industrial Cybersecurity
   * ICS Cybersecurity Conference
 * Funding/M&A
   * Cybersecurity Funding
   * M&A Tracker

 * Cybersecurity News
 * Webcasts
 * Virtual Events

 * ICS Cybersecurity Conference

Connect with us
 * 
 * 
 * 

Hi, what are you looking for?





SECURITYWEEK

 * Malware & Threats
   * Cyberwarfare
   * Cybercrime
   * Data Breaches
   * Fraud & Identity Theft
   * Nation-State
   * Ransomware
   * Vulnerabilities
 * Security Operations
   * Threat Intelligence
   * Incident Response
   * Tracking & Law Enforcement
 * Security Architecture
   * Application Security
   * Cloud Security
   * Endpoint Security
   * Identity & Access
   * IoT Security
   * Mobile & Wireless
   * Network Security
 * Risk Management
   * Cyber Insurance
   * Data Protection
   * Privacy & Compliance
   * Supply Chain Security
 * CISO Strategy
   * Cyber Insurance
   * CISO Conversations
   * CISO Forum
 * ICS/OT
   * Industrial Cybersecurity
   * ICS Cybersecurity Conference
 * Funding/M&A
   * Cybersecurity Funding
   * M&A Tracker




CYBERCRIME


NORTH KOREAN ATTACKS ON BANKS ATTRIBUTED TO ‘APT38’ GROUP

A report published on Wednesday by FireEye details the activities of a
financially motivated threat actor believed to be operating on behalf of the
North Korean government.

By

Eduard Kovacs

October 3, 2018
   
   
 * 
   

 * Flipboard
   
   Reddit
   
   Pinterest
   
   Whatsapp
   
   Whatsapp
   
   Email

A report published on Wednesday by FireEye details the activities of a
financially motivated threat actor believed to be operating on behalf of the
North Korean government.

The group, tracked by FireEye as APT38, focuses on targeting financial
institutions, and the company’s researchers estimate that it has stolen at least
a hundred million dollars from banks worldwide. It’s believed that the group has
attempted to steal over $1.1 billion.

Much of the North Korea-linked cyber activity has been attributed to the
notorious Lazarus, but cybersecurity firms have begun to realize that, similar
to other countries, there are actually several groups that appear to be
launching attacks on behalf of the government. The fact that their tools,
techniques and infrastructure often overlap makes it difficult to accurately
attribute an operation to a certain group.

FireEye noted that there are many similarities between APT38 and attacks
launched by other North Korea-linked groups, including Lazarus and the activity
it tracks as TEMP.Hermit. However, it believes APT38’s tools and its tactics,
techniques and procedures (TTPs) are distinct enough for it to be tracked
separately.

Some other security firms have also noticed that the financially motivated
attacks linked to Lazarus may have actually been carried out by a subgroup of
Lazarus. Kaspersky has tracked this subgroup as Bluenoroff, while CrowdStrike
has dubbed it Stardust Chollima. CrowdStrike has been tracking a total of four
subgroups, which it has named Stardust Chollima, Silent Chollima, Labyrinth
Chollima and Ricochet Chollima.

According to FireEye, APT38 has been active since at least 2014 and it has been
observed targeting over 16 organizations across 11 countries – researchers
believe the actual number of targets may be higher.



Several of these attacks made headlines in the past years and the researchers
who analyzed them reported seeing significant similarities to Lazarus campaigns.
However, FireEye says the attacks were actually carried out by APT38. The
attacks, many of which targeted the SWIFT banking system, were aimed, among
others, at Vietnam’s TP Bank in 2015, Bangladesh’s central bank in 2016,
Taiwan’s Far Eastern International in 2017, Bancomext in Mexico in 2018, and
Banco de Chile also in 2018.

Advertisement. Scroll to continue reading.


“Attribution to both the ‘Lazarus’ group and TEMP.Hermit was made with varying
levels of confidence primarily based on similarities in malware being leveraged
in identified operations,” FireEye said in its report on APT38. “Over time these
malware similarities diverged, as did targeting, intended outcomes, and TTPs,
almost certainly indicating that TEMP.Hermit activity is made up of multiple
operational groups primarily linked together with shared malware development
resources and North Korean state sponsorship.”

FireEye believes that several other attacks that made the news – involving banks
in Africa, Vietnam, Malaysia, the Philippines, Ecuador, and India – may have
also been carried out by APT38 based on timing, location, malware, general TTPs
and the fact that they targeted SWIFT systems.

Unlike other North Korean threat groups, APT38’s attacks are almost exclusively
cyber heists whose likely goal is to raise money for the regime. On the other
hand, unlike typical cybercrime operations, APT38’s campaigns are more similar
to espionage.

“APT38 executes sophisticated bank heists typically featuring long planning,
extended periods of access to compromised victim environments preceding any
attempts to steal money, fluency across mixed operating system environments, the
use of custom developed tools, and a constant effort to thwart investigations
capped with a willingness to completely destroy compromised machines
afterwards,” FireEye said.

Experts believe APT38 was created by North Korea as a result of the sanctions
imposed on the country. The group was first spotted in February 2014, roughly
one year after the UN blocked the regime from making bulk cash transfers and
restricting its ties to international banking systems. As more and more
sanctions were imposed on North Korea in the following years, APT38 escalated
its activities and the frequency of attacks increased.

FireEye has warned that APT38 continues to be active, even after the United
States named and charged an alleged North Korean hacker who is said to have been
involved in the development of Lazarus tools.

Related: U.S. Links North Korean Government to ATM Hacks

Related: NKorea Said to Have Stolen a Fortune in Online Bank Heists





Written By Eduard Kovacs

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He
worked as a high school IT teacher for two years before starting a career in
journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s
degree in industrial informatics and a master’s degree in computer techniques
applied in electrical engineering.




MORE FROM EDUARD KOVACS

 * Passkeys Support Added to Google Accounts for Passwordless Sign-Ins
 * Exploitation of BGP Implementation Vulnerabilities Can Lead to Disruptions
 * US, Ukraine Shut Down Cryptocurrency Exchanges Used by Cybercriminals
 * iPhone Users Report Problems Installing Apple’s First Rapid Security Response
   Update 
 * Cybersecurity M&A Roundup: 38 Deals Announced in April 2023
 * CISA Warns of Attacks Exploiting Oracle WebLogic Vulnerability Patched in
   January
 * Leaked Files Show Extent of Ransomware Group’s Access to Western Digital
   Systems
 * Companies Increasingly Hit With Data Breach Lawsuits: Law Firm


LATEST NEWS

 * Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya
   Cyberattack
 * Apple, Google Propose Standard to Combat Misuse of Location-Tracking Devices
 * Netgear Vulnerabilities Lead to Credentials Leak, Privilege Escalation
 * Passkeys Support Added to Google Accounts for Passwordless Sign-Ins
 * Chrome 113 Released With 15 Security Patches
 * Hackers Promise AI, Install Malware Instead
 * Open Banking: A Perfect Storm for Security and Privacy?
 * Chinese APT Uses New ‘Stack Rumbling’ Technique to Disable Security Software


Click to comment



TRENDING


T-MOBILE SAYS PERSONAL INFORMATION STOLEN IN NEW DATA BREACH


COMPANIES INCREASINGLY HIT WITH DATA BREACH LAWSUITS: LAW FIRM


IPHONE USERS REPORT PROBLEMS INSTALLING APPLE’S FIRST RAPID SECURITY RESPONSE
UPDATE 


LEAKED FILES SHOW EXTENT OF RANSOMWARE GROUP’S ACCESS TO WESTERN DIGITAL SYSTEMS


NEW ‘LOBSHOT’ HVNC MALWARE USED BY RUSSIAN CYBERCRIMINALS


NEIMAN MARCUS SAYS HACKERS BREACHED CUSTOMER ACCOUNTS


GLOBAL OPERATION TAKES DOWN DARK WEB DRUG MARKETPLACE


EXPLOITATION OF BGP IMPLEMENTATION VULNERABILITIES CAN LEAD TO DISRUPTIONS




DAILY BRIEFING NEWSLETTER

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest
threats, trends, and technology, along with insightful columns from industry
experts.




VIRTUAL EVENT: THREAT DETECTION AND INCIDENT RESPONSE SUMMIT

Wednesday, May 24, 2023

SecurityWeek’s Threat Detection and Incident Response Summit brings together
security practitioners from around the world to share war stories on breaches,
APT attacks and threat intelligence.

Register


VIRTUAL EVENT: CISO FORUM VIRTUAL SUMMIT

June 13-14, 2023

Securityweek’s CISO Forum will address issues and challenges that are top of
mind for today’s security leaders and what the future looks like as chief
defenders of the enterprise.

Register

EXPERT INSIGHTS


REIGNING IN ‘OUT-OF-CONTROL’ DEVICES

Out-of-control devices run the gamut from known to unknown and benign to
malicious, and where you draw the line is unique to your organization. (Matt
Wilson)


CYBERSECURITY FUTURISM FOR BEGINNERS

How will Artificial Intelligence develop in the near term, and how will this
impact us as security planners and practitioners? (Oliver Rochford)


EXTERNAL SIGNS OF NARCISSISM – RAISING AWARENESS TO AVOID COLLATERAL DAMAGE

Learning how to spot the signs of narcissism and identify narcissists will help
us ensure that we do not bring these people into our security and fraud teams,
or our enterprises. (Joshua Goldfarb)


LOOKING FOR A NEW SECURITY TECHNOLOGY? CHOOSE A PARTNER, NOT A VENDOR

An important area of differentiation to evaluate when you make your next
security investment is the vendor’s effectiveness when it comes to customer
success. (Marc Solomon)


SECURING THE CHAOS – HARNESSING DISPERSED MULTI-CLOUD, HYBRID ENVIRONMENTS

When every environment is treated the same, teams get consistent visibility, a
unified view, and a common language to describe what’s happening for detection,
investigation, and response across dispersed multi-cloud and hybrid
environments. (Matt Wilson)


   
   
 * 
   

 * Flipboard
   
   Reddit
   
   Pinterest
   
   Whatsapp
   
   Whatsapp
   
   Email

RELATED CONTENT


CYBERWARFARE


CYBERWARFARE MAIN THREAT TO US: POLL

WASHINGTON - Cyberattacks are the most serious threat facing the United States,
even more so than terrorism, according to American defense experts. Almost
half...

AFPJanuary 6, 2014


CYBERCRIME


DISH NETWORK SAYS OUTAGE CAUSED BY RANSOMWARE ATTACK

Satellite TV giant Dish Network confirmed that a recent outage was the result of
a cyberattack and admitted that data was stolen.

Eduard KovacsMarch 1, 2023


CYBERCRIME


CYBER INSIGHTS 2023 | RANSOMWARE

The changing nature of what we still generally call ransomware will continue
through 2023, driven by three primary conditions.

Kevin TownsendFebruary 2, 2023


CYBERCRIME


ZENDESK HACKED AFTER EMPLOYEES FALL FOR PHISHING ATTACK

Zendesk is informing customers about a data breach that started with an SMS
phishing campaign targeting the company’s employees.

Eduard KovacsJanuary 24, 2023


CYBERCRIME


NEIMAN MARCUS SAYS HACKERS BREACHED CUSTOMER ACCOUNTS

Luxury retailer Neiman Marcus Group informed some customers last week that their
online accounts had been breached by hackers.

Eduard KovacsFebruary 2, 2016


CYBERCRIME


CYBER INSIGHTS 2023 | THE COMING OF WEB3

As it evolves, web3 will contain and increase all the security issues of web2 –
and perhaps add a few more.

Kevin TownsendFebruary 6, 2023


CYBERCRIME


COMODO FORUMS HACKED VIA RECENTLY DISCLOSED VBULLETIN VULNERABILITY

A recently disclosed vBulletin vulnerability, which had a zero-day status for
roughly two days last week, was exploited in a hacker attack targeting the...

Eduard KovacsOctober 1, 2019


ARTIFICIAL INTELLIGENCE


MALICIOUS PROMPT ENGINEERING WITH CHATGPT

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of
AI for both good and bad.

Kevin TownsendJanuary 25, 2023
 * 
 * 
 * 


POPULAR TOPICS

 * Cybersecurity News
 * Industrial Cybersecurity


SECURITY COMMUNITY

 * Virtual Cybersecurity Events
 * Webcast Library
 * CISO Forum
 * ICS Cybersecurity Conference
 * Cybersecurity Newsletters


STAY INTOUCH

 * Cyber Weapon Discussion Group
 * RSS Feed
 * Security Intelligence Group


ABOUT SECURITYWEEK

 * Advertising
 * Event Sponsorships
 * Writing Opportunities
 * Feedback/Contact Us


NEWS TIPS

Got a confidential news tip? We want to hear from you.

Submit Tip


ADVERTISING

Reach a large audience of enterprise cybersecurity professionals

Contact Us


DAILY BRIEFING NEWSLETTER

Subscribe to the SecurityWeek Daily Briefing and get the latest content
delivered to your inbox.


 * Privacy Policy

Copyright © 2023 SecurityWeek ®, a Wired Business Media Publication. All Rights
Reserved.