A new security report reveals that the APT38 hackers have started a new worldwide attack against financial institutions, as a result of this millions of dollars have been hijacked from financial institutions. It is estimated that the criminal collective has stolen over one billion dollars in their last campaigns.
Apt38 Hackers Latest Attack Campaign Now Marks Hits $1.1 Billion Stolen from Targets
The criminal collective known as the APT38 hackers have once again launched a global attack against financial institutions. The most worrying fact is that after it was started the experts estimate that they were able to steal at least a hundred million dollars. So far the generated income from the malicious operators total over $1.1 billion according to the released reports.
The criminals are speculated to be from North Korea however this is not certain. Several different hacking collectives appear to be directed from the country. The performed analysis shows that the performed campaigns are similar to the other groups from Korea. Ever since the first campaigns that started in 2014 the hackers were found to target primarily financial organizations from countries worldwide: Russia, Vietnam, Philippines, Malaysia, Bangladesh, Poland, Turkey, Brazil, Uruguay, Chile, Mexico and the United States of America.
One of the distinct characteristics of the attacks is that the APT38 hackers are almost every time cyber heists in nature. They aim not to sabotage the targets but rather to carry out complex espionage. They hacking tools and manners that they depend on is a sophisticated plan of action and a very deep network penetration.
During the research on their planning and operations the analysts discovered that members of the collective have are active on the underground hacking forums. One of the posts that dates back to 2015 shows that then they have been looking for exploits. This means that the criminals are actively searching for ways to intrude into the target systems without being detected.
The typical intrusion follows this attack pattern:
- Information Gathering — The APT38 hackers will research as much information about the target organizations. This is not limited only to their internal structure, but also the mechanisms of their systems and how they handle SWIFT transactions.
- Intrusion — At this phase the actual hacking will take place. The criminals will uncover vulnerabilities by using the latest exploits, zero-day attacks and other sophisticated methods.
- Internal Reconnaissance — Once the target machine has been compromised the criminals will scan the network and deploy the malware in the designated way — to gather as much information about the network and system configurations as possible. At this point the stealth protection is also applied — the intrusion code will bypass the security systems.
- SWIFT Servers Espionage — The hackers will establish network monitoring tools that will spy on the SWIFT services used by the company. They have also been found to deploy both active and passive backdoors.
- Funds Transfer — Once the SWIFT systems have been compromised the implanted malicious code can process fraudulent SWIFT transactions and also alter the operations history and log files. The hijacked money will be wired to special accounts belonging to the criminals. Multiple transactions are done in order to not raise awareness to the operations.
- Evidence Destruction — This stage is done in order to securely delete the logs and all traces of infections. The analysis shows that the virus engine deploys and executes disk-wiping software which disrupts forensic attempts. At this point various ransomware viruses are deployed to the network in order to destroy the remaining evidence and delay the SWIFT services investigation.
The APT38 hackers are likely to continue their attack campaigns as they have been found to be very profitable. For more information you can read the in-depth report.