North Korean hackers APT38 suspected of targeting Australian banks

We’re sorry, this feature is currently unavailable. We’re working to restore it. Please try again later.

Advertisement

This was published 5 years ago

North Korean hackers APT38 suspected of targeting Australian banks

By Chris Zappone
Updated

Washington: A group of North Korean hackers stealing hundreds of millions of dollars worldwide before covering its tracks with disk-wiping malware may also be targeting Australian financial institutions.

The group, dubbed APT38, publicly identified this week, has attempted to steal more than $US1.1 billion ($1.54 billion) from at least 16 institutions in at least 11 countries, including Vietnam, the Philippines, Malaysia and the US in the past four years.

A new hacking group has been identified.

A new hacking group has been identified.Credit: iStock

Researchers from US-based FireEye cyber security company have found Australia's SWIFT banking codes and IP addresses listed in the malware used by the state-backed hackers, suggesting its financial institutions may be targets.

"We have seen indications that APT38 may have attempted to target organisations in Australia based on a few factors including that they included hardcoded business identifier codes associated with specific banks in Australia in a particular piece of malware," FireEye senior analyst Jacqueline O'Leary said in Washington.

Business identifier codes are used in SWIFT transactions, the standardised interbank communication system used by most financial institutions to facilitate payment and prevent fraud.

"While targeting [of Australia] isn’t confirmed, there definitely seems to be interest in entities within the country," said O'Leary.

Loading

North Korea’s state-backed hacking continues even as the country, ruled by strongman Kim Jong-un, has taken early steps to end its diplomatic isolation over its nuclear missile program and human rights abuses. Since Kim’s June summit with US President Donald Trump, North Korea has increased dialogue with South Korea as well as China.

Nevertheless, North Korea’s profile as a supporter of aggressive hacking power has grown in recent years.

Advertisement

In 2014, North Koreans hacked Sony Pictures, and posted internal, private information from the company online, including copies of unreleased films, in a costly case of cyber vandalism.

In September, the US government charged and sanctioned a North Korean man suspected of participating in the 2014 Sony Pictures hack, as well as the spread of the WannaCry ransomware cyber attack last year affecting computers in 150 countries.

The US complaint called the “scale and scope of the cyber crimes” by North Korea “staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations”.

Detail on the newly identified hacking group suggests North Korea won’t stop any time soon.

“The timing of recent APT38 operations provides some indication that even diplomatic re-engagement will not motivate North Korea to rein in its illicit financially-motivated activities,” a FireEye report on the group said.

Forensic evidence shows North Korean hackers carefully staking out individuals with access to the targeted institution’s SWIFT system access before deploying malware that inserts fake transactions and directing stolen funds to other banks from where can be extracted. The transactions are then deleted with disk-wiping viruses to obscure them, rendering systems inoperable and creating a distraction for victims.

An advanced persistent threat (APT) is a term for a complex, coordinated and presistent cyber attack. It often involves multiple team members working with multiple hacking techniques against a particular target.

APT38’s victims include Vietnam TP Bank, Far Eastern International Bank in Taiwan and Banco de Chile.

Canberra-based ASPI cyber security visiting fellow Tom Uren said the latest news follows a pattern with North Korea.

“It seems that the North Koreans are strapped for cash and are really doing anything they can to get money,” he said.

“They’ll attack banks wherever they find opportunities, so all banks, including Australian ones, will be on their radar.”

Like traditional state-sponsored hacking, APT38 uses espionage techniques, for example monitoring the targeted company network for five months after breaking in, to understand the inner workings of the business, before stealing funds.

Uren said that in Australia, the big banks were aware of the threat and were well-resourced to fight it.

“But I’d be more worried about the smaller financial institutions in Australia; they are simply less well resourced to deal with this problem.”

“If [APT38] can find weaknesses in Australian banks they’ll definitely try to take advantage of them.”

The author travelled to Washington, DC as a guest of FireEye

Most Viewed in World

Loading